- Notifications
You must be signed in to change notification settings - Fork0
Pavo wraps other programs with unveil & pledge
License
andinus/pavo
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
Pavo wraps other programs withunveil &pledge.
Note: This is still a work in progress, just the progress is very slow. I still think this is a neat idea, will complete this someday.
Note: Someone made this & posted it onmisc@.
[ANNOUNCE] pledge(1): an unprivileged sandboxing tool for OpenBSDhttps://marc.info/?l=openbsd-misc&m=160070752916257&w=2
| Project Home | Pavo |
| Source Code | Andinus / Pavo |
| GitHub (Mirror) | Pavo - GitHub |
Tested on:
- OpenBSD 6.6 amd64
Note: This program has only been tested to work withecho, it fails with many other commands.
- Pavo parses the config file
- Directories & commands are unveiled
- Execpromises are added
- Unveil calls are blocked
- Command is executed
Let’s takeecho as an example.echo’s job is to echo what you pass to it. It should never touch your$HOME/.ssh, let’s say the nextecho update is malicious & it tries to send your$HOME/.ssh to the attacker’s servers. It will be able to do that but not if you wrap it around pavo.
pavo echo will parse the config & forceunveil &pledge on the maliciousecho, it won’t be able to read your$HOME/.ssh directory if it isn’t present in pavo’s config. Also uploading the file to the internet will kill the program immediately.
This assumes that pavo’s config file is secure in the first place, if it isn’t then the attacker could simply change it. Also,echo is a bad example for this.
Let’s take another example. Let’s say you want to run a binary downloaded from the internet, you kinda trust that person (you don’t) & they say that the binary is a simple ascii game & will just print to terminal, do nothing else. You could wrap this binary around pavo before running it & give it limited permissions, like don’t unveil anything & put onlystdio in execpromises.
If that binary tries to do anything apart fromstdio the program will be killed.
- Pavo’s config file should be unwriteable at rest
- The config file should only be writeable by the user
Pre-built binaries are available for OpenBSD (386, amd64, arm, arm64).
Example config file can bedownloaded here.
Download the binaries fromarchive.org
Example URL:https://archive.org/download/pavo-v0.1.0/pavo-v0.1.0-openbsd-386
| Arch | SHA256 |
|---|---|
| 386 | 926d6009567fec6c270eea16d380b58f396be6f1d51d513ff0e43286760f4fa9 |
| amd64 | b0fadad9e0328377b31eb70d369a0e2b91f851310e579abab4023496776798ca |
| arm | 0033409f32569c2f59879bb256854b7c6f1043ebf3fe548c7ee4d9b7132839ea |
| arm64 | b75648c5a3b76d51cad63172ec164eff4974a6a4cca453fe41441d556fa04a07 |
About
Pavo wraps other programs with unveil & pledge