pledge exposes OpenBSD's pledge(2) system call to ruby, allowing a program to restrict the types of operations the program can do after that point. Unlike other similar systems, pledge is specifically designed for programs that need to use a wide variety of operations on initialization, but a fewer number after initialization (when user input will be accepted).
pledge(2) is supported on OpenBSD 5.9+. pledge(2) supports a second argument for execpromises on OpenBSD 6.3+.
First, you need to require the library
Then you can use Pledge.pledge as the interface to the pledge(2) system call. You pass Pledge.pledge a string containing tokens for the operations you would like to allow (called promises). For example, if you want to give the process the ability to read from the file system, but not write to the file system or allow network access:
To allow read/write filesystem access, but not network access:
Pledge.pledge("rpath wpath cpath")
To allow inet/unix socket access and DNS queries, but not filesystem access:
Pledge.pledge("inet unix dns")
If you want to use pledging in a console application such as irb or pry, you must include the tty promise:
You can pass a second string argument containing tokens for the operations you would like to allow in spawned processes (called execpromises). To allow spawning processes that have read/write filesystem access only, but not network access:
Pledge.pledge("proc exec rpath", "stdio rpath wpath cpath")
Pledge is a module that extends itself, you can include it in other classes:
Object.send(:include, Pledge) pledge("rpath")
See the pledge(2) man page for a description of the allowed promises in the strings passed to Pledge.pledge.
Using an unsupported promise will raise an exception. The “stdio” promise is added automatically to the current process's promises, as ruby does not function without it, but it is not added to the execpromises (as you can execute non-ruby programs).
This library uses GitHub Issues for tracking issues/bugs:
The source code is on GitHub:
To get a copy:
git clone git://github.com/jeremyevans/ruby-pledge.git
rake-compiler (if compiling)
To build the library from a git checkout, use the compile task.
Running the specs
The rake spec task runs the specs. This is also the default rake task. This will compile the library if not already compiled.
Jeremy Evans <firstname.lastname@example.org>