Skip to content
This repository has been archived by the owner on May 25, 2023. It is now read-only.
/ pavo Public archive

Pavo wraps other programs with unveil & pledge

License

Notifications You must be signed in to change notification settings

andinus/pavo

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

20 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Pavo

Pavo wraps other programs with unveil & pledge.

Note: This is still a work in progress, just the progress is very slow. I still think this is a neat idea, will complete this someday.

Note: Someone made this & posted it on misc@.

[ANNOUNCE] pledge(1): an unprivileged sandboxing tool for OpenBSD https://marc.info/?l=openbsd-misc&m=160070752916257&w=2

Project HomePavo
Source CodeAndinus / Pavo
GitHub (Mirror)Pavo - GitHub

Tested on:

  • OpenBSD 6.6 amd64

Note: This program has only been tested to work with echo, it fails with many other commands.

Working

  • Pavo parses the config file
  • Directories & commands are unveiled
  • Execpromises are added
  • Unveil calls are blocked
  • Command is executed

How is it useful?

Let’s take echo as an example. echo’s job is to echo what you pass to it. It should never touch your $HOME/.ssh, let’s say the next echo update is malicious & it tries to send your $HOME/.ssh to the attacker’s servers. It will be able to do that but not if you wrap it around pavo.

pavo echo will parse the config & force unveil & pledge on the malicious echo, it won’t be able to read your $HOME/.ssh directory if it isn’t present in pavo’s config. Also uploading the file to the internet will kill the program immediately.

This assumes that pavo’s config file is secure in the first place, if it isn’t then the attacker could simply change it. Also, echo is a bad example for this.

Let’s take another example. Let’s say you want to run a binary downloaded from the internet, you kinda trust that person (you don’t) & they say that the binary is a simple ascii game & will just print to terminal, do nothing else. You could wrap this binary around pavo before running it & give it limited permissions, like don’t unveil anything & put only stdio in execpromises.

If that binary tries to do anything apart from stdio the program will be killed.

  • Pavo’s config file should be unwriteable at rest
  • The config file should only be writeable by the user

Installation

Pre-built binaries

Pre-built binaries are available for OpenBSD (386, amd64, arm, arm64).

Example config file can be downloaded here.

v0.1.0

Download the binaries from archive.org

Example URL: https://archive.org/download/pavo-v0.1.0/pavo-v0.1.0-openbsd-386

ArchSHA256
386926d6009567fec6c270eea16d380b58f396be6f1d51d513ff0e43286760f4fa9
amd64b0fadad9e0328377b31eb70d369a0e2b91f851310e579abab4023496776798ca
arm0033409f32569c2f59879bb256854b7c6f1043ebf3fe548c7ee4d9b7132839ea
arm64b75648c5a3b76d51cad63172ec164eff4974a6a4cca453fe41441d556fa04a07