pledge
pledge exposes OpenBSD’s pledge(2) system call to ruby, allowing a program to restrict the types of operations the program can do after that point. Unlike other similar systems, pledge is specifically designed for programs that need to use a wide variety of operations on initialization, but a fewer number after initialization (when user input will be accepted).
pledge(2) is supported on OpenBSD 5.9+. pledge(2) supports a second argument for execpromises on OpenBSD 6.3+.
Usage
First, you need to require the library
require 'pledge'
Then you can use Pledge.pledge
as the interface to the pledge(2) system call. You pass Pledge.pledge
a string containing tokens for the operations you would like to allow (called promises). For example, if you want to give the process the ability to read from the file system, but not write to the file system or allow network access:
Pledge.pledge("rpath")
To allow read/write filesystem access, but not network access:
Pledge.pledge("rpath wpath cpath")
To allow inet/unix socket access and DNS queries, but not filesystem access:
Pledge.pledge("inet unix dns")
If you want to use pledging in a console application such as irb or pry, you must include the tty promise:
Pledge.pledge("tty rpath")
You can pass a second string argument containing tokens for the operations you would like to allow in spawned processes (called execpromises). To allow spawning processes that have read/write filesystem access only, but not network access:
Pledge.pledge("proc exec rpath", "stdio rpath wpath cpath")
Pledge
is a module that extends itself, you can include it in other classes:
Object.send(:include, Pledge)
pledge("rpath")
Options
See the pledge(2) man page for a description of the allowed promises in the strings passed to Pledge.pledge
.
Using an unsupported promise will raise an exception. The “stdio” promise is added automatically to the current process’s promises, as ruby does not function without it, but it is not added to the execpromises (as you can execute non-ruby programs).
Reporting issues/bugs
This library uses GitHub Issues for tracking issues/bugs:
https://github.com/jeremyevans/ruby-pledge/issues
Contributing
The source code is on GitHub:
https://github.com/jeremyevans/ruby-pledge
To get a copy:
git clone git://github.com/jeremyevans/ruby-pledge.git
Requirements
-
OpenBSD 5.9+
-
ruby 1.8.7+
-
rake-compiler (if compiling)
Compiling
To build the library from a git checkout, use the compile task.
rake compile
Running the specs
The rake spec task runs the specs. This is also the default rake task. This will compile the library if not already compiled.
rake
Author
Jeremy Evans <[email protected]>