Skip to content
Ruby Interface to OpenBSD unveil(2) system call
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
ext/unveil
spec
.gitignore
Gemfile
Gemfile.lock
LICENSE
README.rdoc
Rakefile
unveil.gemspec

README.rdoc

unveil

unveil exposes OpenBSD's unveil(2) system call to ruby, allowing a program to restrict the filesystem view of the program.

unveil(2) is supported on OpenBSD 6.4+.

Usage

First, you need to require the library

require "unveil"

Then you can use Unveil.unveil as the interface to the unveil(2) system call. You pass Unveil.unveil a string containing a directory, and a string containing the permissions. For example, if you want to give the process the ability to only read the /tmp directory, but not write to it:

Unveil.unveil("/tmp", "r")

Once the list of paths has been finalized, call Unveil.lock! to prevent further access to the unveil(2) system call.

Options

See the unveil(2) man page for a description of the allowed permissions passed to Unveil.unveil.

Using an unsupported permission string will raise an exception.

Reporting issues/bugs

This library uses GitHub Issues for tracking issues/bugs:

https://github.com/jcs/ruby-unveil/issues

Contributing

The source code is on GitHub:

https://github.com/unveil/ruby-unveil

To get a copy:

git clone git://github.com/jcs/ruby-unveil.git

Requirements

  • OpenBSD 6.4+

  • ruby 2.4+

  • Bundler 1.17+

  • rake-compiler (if compiling)

Compiling

To build the library from a git checkout, use the compile task.

bundle exec rake compile

Running the specs

The rake spec task runs the specs. This is also the default rake task. This will compile the library if not already compiled.

bundle exec rake

Author

joshua stein <jcs@jcs.org>

You can’t perform that action at this time.