unveil exposes OpenBSD's unveil(2) system call to ruby, allowing a program to restrict the filesystem view of the program.
unveil(2) is supported on OpenBSD 6.4+.
First, you need to require the library
Then you can use Unveil.unveil as the interface to the unveil(2) system call. You pass Unveil.unveil a string containing a directory, and a string containing the permissions. For example, if you want to give the process the ability to only read the /tmp directory, but not write to it:
Once the list of paths has been finalized, call Unveil.lock! to prevent further access to the unveil(2) system call.
See the unveil(2) man page for a description of the allowed permissions passed to Unveil.unveil.
Using an unsupported permission string will raise an exception.
This library uses GitHub Issues for tracking issues/bugs:
The source code is on GitHub:
To get a copy:
git clone git://github.com/jcs/ruby-unveil.git
rake-compiler (if compiling)
To build the library from a git checkout, use the compile task.
bundle exec rake compile
Running the specs
The rake spec task runs the specs. This is also the default rake task. This will compile the library if not already compiled.
bundle exec rake
joshua stein <email@example.com>