Revision: 4367 http://trac.macosforge.org/projects/ruby/changeset/4367 Author: pthomson@apple.com Date: 2010-07-16 10:27:58 -0700 (Fri, 16 Jul 2010) Log Message: ----------- Add a Sandbox class that adds sandbox(7) functionality. Modified Paths: -------------- MacRuby/trunk/inits.c MacRuby/trunk/rakelib/builder/options.rb Added Paths: ----------- MacRuby/trunk/sandbox.c MacRuby/trunk/spec/macruby/core/sandbox/ MacRuby/trunk/spec/macruby/core/sandbox/pure_spec.rb Modified: MacRuby/trunk/inits.c =================================================================== --- MacRuby/trunk/inits.c 2010-07-15 21:48:25 UTC (rev 4366) +++ MacRuby/trunk/inits.c 2010-07-16 17:27:58 UTC (rev 4367) @@ -60,6 +60,7 @@ void Init_Dispatch(void); void Init_Transcode(void); void Init_PostVM(void); +void Init_sandbox(void); void rb_call_inits() @@ -112,5 +113,6 @@ Init_FFI(); Init_Dispatch(); Init_Transcode(); + Init_sandbox(); Init_PostVM(); } Modified: MacRuby/trunk/rakelib/builder/options.rb =================================================================== --- MacRuby/trunk/rakelib/builder/options.rb 2010-07-15 21:48:25 UTC (rev 4366) +++ MacRuby/trunk/rakelib/builder/options.rb 2010-07-16 17:27:58 UTC (rev 4367) @@ -126,7 +126,7 @@ util variable version thread id objc bs ucnv encoding main dln dmyext marshal gcd vm_eval gc-stub bridgesupport compiler dispatcher vm symbol debugger interpreter MacRuby MacRubyDebuggerConnector NSArray NSDictionary NSString - transcode + transcode sandbox } # Static MacRuby builds less objects. Added: MacRuby/trunk/sandbox.c =================================================================== --- MacRuby/trunk/sandbox.c (rev 0) +++ MacRuby/trunk/sandbox.c 2010-07-16 17:27:58 UTC (rev 4367) @@ -0,0 +1,84 @@ +#include <sandbox.h> +#include "ruby/macruby.h" + +static VALUE rb_cSandbox; + +typedef struct { + const char *profile; + uint64_t flags; +} rb_sandbox_t; + +static VALUE +rb_sandbox_s_alloc(VALUE klass, SEL sel) +{ + rb_sandbox_t *sb = ALLOC(rb_sandbox_t); + sb->profile = NULL; + sb->flags = 0; + return Data_Wrap_Struct(klass, NULL, NULL, sb); +} + +static inline VALUE +predefined_sandbox(const char* name) +{ + VALUE obj = rb_sandbox_s_alloc(rb_cSandbox, 0); + rb_sandbox_t *box; Data_Get_Struct(obj, rb_sandbox_t, box); + box->profile = name; + box->flags = SANDBOX_NAMED; + return rb_obj_freeze(obj); +} + +static VALUE +rb_sandbox_s_no_internet(VALUE klass, SEL sel) +{ + return predefined_sandbox(kSBXProfileNoInternet); +} + +static VALUE +rb_sandbox_s_no_network(VALUE klass, SEL sel) +{ + return predefined_sandbox(kSBXProfileNoNetwork); +} + +static VALUE +rb_sandbox_s_no_writes(VALUE klass, SEL sel) +{ + return predefined_sandbox(kSBXProfileNoWrite); +} + +static VALUE +rb_sandbox_s_temporary_writes(VALUE klass, SEL sel) +{ + return predefined_sandbox(kSBXProfileNoWriteExceptTemporary); +} + +static VALUE +rb_sandbox_s_pure_computation(VALUE klass, SEL sel) +{ + return predefined_sandbox(kSBXProfilePureComputation); +} + +static VALUE +rb_sandbox_apply(VALUE self, SEL sel) +{ + rb_sandbox_t *box; Data_Get_Struct(self, rb_sandbox_t, box); + char *error = NULL; + if (sandbox_init(box->profile, box->flags, &error) == -1) { + rb_raise(rb_eSecurityError, "Couldn't apply sandbox: `%s`", error); + } + return Qnil; +} + +void +Init_sandbox(void) +{ + rb_cSandbox = rb_define_class("Sandbox", rb_cData); + + rb_objc_define_method(*(VALUE *)rb_cSandbox, "alloc", rb_sandbox_s_alloc, 0); + rb_objc_define_method(*(VALUE *)rb_cSandbox, "no_internet", rb_sandbox_s_no_internet, 0); + rb_objc_define_method(*(VALUE *)rb_cSandbox, "no_network", rb_sandbox_s_no_network, 0); + rb_objc_define_method(*(VALUE *)rb_cSandbox, "no_writes", rb_sandbox_s_no_writes, 0); + rb_objc_define_method(*(VALUE *)rb_cSandbox, "temporary_writes", rb_sandbox_s_temporary_writes, 0); + rb_objc_define_method(*(VALUE *)rb_cSandbox, "pure_computation", rb_sandbox_s_pure_computation, 0); + + rb_objc_define_method(rb_cSandbox, "apply!", rb_sandbox_apply, 0); +} \ No newline at end of file Added: MacRuby/trunk/spec/macruby/core/sandbox/pure_spec.rb =================================================================== --- MacRuby/trunk/spec/macruby/core/sandbox/pure_spec.rb (rev 0) +++ MacRuby/trunk/spec/macruby/core/sandbox/pure_spec.rb 2010-07-16 17:27:58 UTC (rev 4367) @@ -0,0 +1,11 @@ +require File.expand_path(File.dirname(__FILE__) + '/../../spec_helper') + +describe "Sandbox.pure_computation" do + + # More specs coming to this space soon. Right now applying a sandbox profile + # inside a spec causes all subsequent specs to fail. + + it "should be frozen" do + Sandbox.pure_computation.frozen?.should be_true + end +end \ No newline at end of file