Pledge and Unveil in OpenBSD [pdf] (opens in new tab)

(openbsd.org)

125 pointsgshrikant7y ago34 comments

34 comments

Awesome!

Given the Chrome example starting on page 6, here's my guess as to how pledge and unveil will contain Chrome to e.g. protect SSH keys. First, 3 of the 5 Chrome processes are already pledged to disallow filesystem reads. The two remaining ones (RenderProcess and UtilityProcess) can be unveiled to allow directories like

  * ~/.config/chromium
  * ~/.cache/chromium
  * ~/Downloads
  * /tmp
  * and anything important I don't know of

Additionally, if unveil works like pledge and can be further restricted after e.g. reading files into memory, unveils can then be undone. Anyone know if the following would work to first allow access to /tmp and then revoke that access?

  unveil("/tmp", "rw");
  /* do some work */
  unveil("/tmp", "");

notaplumber7y ago

Indeed! The full unveil semantics aren't known yet, may be worth proposing! But for the specific case of /tmp, there is already a tmppath promise.

aaron_m047y ago

I wouldn't expect your /tmp example to work, because if unveil is anything like pledge, additional calls can only add restrictions, not take them away.

toxik7y ago

Shouldn't it be veil()?

badsectoracula7y ago

The idea is that everything is "veiled" and you "unveil" the stuff you need access to.

1 more reply

zrth7y ago

Honest question, why is this downvoted?

akavel7y ago

The PDF has no introduction section, seems to be aimed at people who already know what it's talking about. Can anyone shed some light on what is the idea here? I honestly don't understand what's going on, apart from that it seems to be some security-related feature (or actually two of them?)

beefhash7y ago

pledge(2) on OpenBSD is used to drop the privileges of a process. Processes are meant to call pledge(2) to drop their own privileges. The way pledge(2) works is that the system calls of that process get limited. If a process calls a system call outside the allowed range after calling pledge(2), it gets killed. Starting with OpenBSD 6.3, it is also possible to configure pledge to make the kernel return ENOSYS instead of killing the process when violating the pledge.

For example:

    /* Only the system calls required
     * for the standard I/O library and
     * for accessing /dev/tty are allowed
     * by the kernel from this point on.
     */
    pledge("stdio tty", NULL);

The second argument is the execpromises, i.e., the pledges enforced for child processes. This does not need to be specified if you pledge in a way that does not include any way of spawning a new process.

What's new in the slides linked is unveil(2). This seems to be used to limit the exact paths a process can access and with what access flags (rwxc).

Fnoord7y ago

Wasn't there some kind of equiv in OpenBSD long ago, by Niels Provos? Or was it the Stephanie patch? [1] At the bottom they mention Qmail which was immediately my first thought as an example as well, since it breaks up MTA tasks to different daemons.

[1] http://packetfactory.openwall.net/projects/stephanie/index.h...

1 more reply

sigjuice7y ago

pledge is seccomp

brynet7y ago

Not at all, for example you can't implement the ratcheting down semantics of pledge() using seccomp. Say starting with a broader promise set "stdio rpath recvfd", and then dropping to "stdio" after full init.

pledge() can also be found in over 85% of OpenBSD's base system.

2 more replies

lkurusa7y ago

Not really; seccomp(2) is for _specific_ system calls, pledge(2) is for more broad functionalities.

2 more replies

brynet7y ago

These are the slides from Bob Beck (beck@'s) talk at BSDCan 2018 (Jun 8-9th), apparently missing its first page.. [0]

http://www.bsdcan.org/2018/schedule/events/968.en.html

Video should eventually show up on YouTube.

[0] https://twitter.com/bob_beck/status/1005162340956794880 ;-)

brynet7y ago

A somewhat related talk from BSDCan was Florian Obser's slaacd(8) - "A privilege separated and sandboxed IPv6 Stateless Address AutoConfiguration Daemon"

https://www.openbsd.org/papers/florian_slaacd_bsdcan2018.pdf

http://www.bsdcan.org/2018/schedule/events/929.en.html

zdw7y ago

Nice. Back in earlier versions of pledge(2), there was another argument that took paths to allow fs access on, as unveil(2) is doing, but it was never supported/implemented. (see http://man.openbsd.org/OpenBSD-6.0/pledge.2 for the old syntax)

teamhappy7y ago

Does anybody here know when the videos will be up?

j / k navigate · click thread line to collapse

34 comments

Panino7y ago

Awesome!

  * ~/.config/chromium
  * ~/.cache/chromium
  * ~/Downloads
  * /tmp
  * and anything important I don't know of

  unveil("/tmp", "rw");
  /* do some work */
  unveil("/tmp", "");

notaplumber7y ago

Indeed! The full unveil semantics aren't known yet, may be worth proposing! But for the specific case of /tmp, there is already a tmppath promise.

aaron_m047y ago

I wouldn't expect your /tmp example to work, because if unveil is anything like pledge, additional calls can only add restrictions, not take them away.

toxik7y ago

Shouldn't it be veil()?

badsectoracula7y ago

The idea is that everything is "veiled" and you "unveil" the stuff you need access to.

1 more reply

zrth7y ago

Honest question, why is this downvoted?

akavel7y ago

beefhash7y ago

For example:

    /* Only the system calls required
     * for the standard I/O library and
     * for accessing /dev/tty are allowed
     * by the kernel from this point on.
     */
    pledge("stdio tty", NULL);

What's new in the slides linked is unveil(2). This seems to be used to limit the exact paths a process can access and with what access flags (rwxc).

Fnoord7y ago

[1] http://packetfactory.openwall.net/projects/stephanie/index.h...

1 more reply

sigjuice7y ago

pledge is seccomp

brynet7y ago

pledge() can also be found in over 85% of OpenBSD's base system.

2 more replies

lkurusa7y ago

Not really; seccomp(2) is for _specific_ system calls, pledge(2) is for more broad functionalities.

2 more replies

brynet7y ago

These are the slides from Bob Beck (beck@'s) talk at BSDCan 2018 (Jun 8-9th), apparently missing its first page.. [0]

http://www.bsdcan.org/2018/schedule/events/968.en.html

Video should eventually show up on YouTube.

[0] https://twitter.com/bob_beck/status/1005162340956794880 ;-)

brynet7y ago

A somewhat related talk from BSDCan was Florian Obser's slaacd(8) - "A privilege separated and sandboxed IPv6 Stateless Address AutoConfiguration Daemon"

https://www.openbsd.org/papers/florian_slaacd_bsdcan2018.pdf

http://www.bsdcan.org/2018/schedule/events/929.en.html

zdw7y ago

teamhappy7y ago

Does anybody here know when the videos will be up?

j / k navigate · click thread line to collapse