-
Notifications
You must be signed in to change notification settings - Fork 193
/
sandbox.c
111 lines (93 loc) · 2.83 KB
/
sandbox.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
/*
* MacRuby interface to sandbox/seatbelt.
*
* This file is covered by the Ruby license. See COPYING for more details.
*
* Copyright (C) 2012, The MacRuby Team. All rights reserved.
* Copyright (C) 2011, Apple Inc. All rights reserved.
*/
#include <sandbox.h>
#include "macruby_internal.h"
#include "ruby/util.h"
static VALUE rb_cSandbox;
typedef struct {
const char *profile;
uint64_t flags;
} rb_sandbox_t;
static VALUE
rb_sandbox_s_alloc(VALUE klass, SEL sel)
{
rb_sandbox_t *sb = ALLOC(rb_sandbox_t);
sb->profile = NULL;
sb->flags = 0;
return Data_Wrap_Struct(klass, NULL, NULL, sb);
}
static VALUE
rb_sandbox_init(VALUE obj, SEL sel, VALUE profile)
{
rb_sandbox_t *box;
StringValue(profile);
Data_Get_Struct(obj, rb_sandbox_t, box);
GC_WB(&box->profile, ruby_strdup(RSTRING_PTR(profile)));
box->flags = 0;
return obj;
}
static inline VALUE
predefined_sandbox(const char *name)
{
VALUE obj = rb_sandbox_s_alloc(rb_cSandbox, 0);
rb_sandbox_t *box;
Data_Get_Struct(obj, rb_sandbox_t, box);
box->profile = name;
box->flags = SANDBOX_NAMED;
return rb_obj_freeze(obj);
}
static VALUE
rb_sandbox_s_no_internet(VALUE klass, SEL sel)
{
return predefined_sandbox(kSBXProfileNoInternet);
}
static VALUE
rb_sandbox_s_no_network(VALUE klass, SEL sel)
{
return predefined_sandbox(kSBXProfileNoNetwork);
}
static VALUE
rb_sandbox_s_no_writes(VALUE klass, SEL sel)
{
return predefined_sandbox(kSBXProfileNoWrite);
}
static VALUE
rb_sandbox_s_temporary_writes(VALUE klass, SEL sel)
{
return predefined_sandbox(kSBXProfileNoWriteExceptTemporary);
}
static VALUE
rb_sandbox_s_pure_computation(VALUE klass, SEL sel)
{
return predefined_sandbox(kSBXProfilePureComputation);
}
static VALUE
rb_sandbox_apply(VALUE self, SEL sel)
{
rb_sandbox_t *box;
Data_Get_Struct(self, rb_sandbox_t, box);
char *error = NULL;
if (sandbox_init(box->profile, box->flags, &error) == -1) {
rb_raise(rb_eSecurityError, "Couldn't apply sandbox: `%s`", error);
}
return Qnil;
}
void
Init_sandbox(void)
{
rb_cSandbox = rb_define_class("Sandbox", rb_cData);
rb_objc_define_method(*(VALUE *)rb_cSandbox, "alloc", rb_sandbox_s_alloc, 0);
rb_objc_define_method(*(VALUE *)rb_cSandbox, "no_internet", rb_sandbox_s_no_internet, 0);
rb_objc_define_method(*(VALUE *)rb_cSandbox, "no_network", rb_sandbox_s_no_network, 0);
rb_objc_define_method(*(VALUE *)rb_cSandbox, "no_writes", rb_sandbox_s_no_writes, 0);
rb_objc_define_method(*(VALUE *)rb_cSandbox, "temporary_writes", rb_sandbox_s_temporary_writes, 0);
rb_objc_define_method(*(VALUE *)rb_cSandbox, "pure_computation", rb_sandbox_s_pure_computation, 0);
rb_objc_define_method(rb_cSandbox, "initialize", rb_sandbox_init, 1);
rb_objc_define_method(rb_cSandbox, "apply!", rb_sandbox_apply, 0);
}