Re: how to pledge(2) for Yubikey

Tue, 14 Jul 2020 08:07:40 -0700 

That is never going to work.  We will never permit raw access to usb
devices like that, in fact we are headed completely the other direction
with /dev/fido support hiding the complexity.

=?utf-8?Q?L=C3=A9vai=2C_D=C3=A1niel?= <l...@ecentrum.hu> wrote:

> Hi all!
> 
> I'm trying to implement pledge(2) support into kc(1) (in ports) while using 
> it with a Yubikey.
> So far this is my pledge string:
> char            *pledges = "cpath exec fattr flock proc rpath stdio tty unix 
> wpath";
> 
> This covers everything it would do without the Yubikey. But I can't seem to 
> find the proper "promise" that would allow it to use the Yubikey (I've tried 
> adding everything at one point).
> The application dies with (on -current):
> Abort trap (core dumped)
> kc[35302]: pledge "tty", syscall 54
> 
> And the trace looks like this:
> #0  ioctl () at -:3
> No locals.
> #1  0x00000fb51385e600 in libusb_interrupt_transfer () from 
> /usr/local/lib/libusb-1.0.so.1.2
> No symbol table info available.
> #2  0x00000fb513856864 in libusb_get_device_list () from 
> /usr/local/lib/libusb-1.0.so.1.2
> No symbol table info available.
> #3  0x00000fb53bf41e82 in _ykusb_open_device () from 
> /usr/local/lib/libykpers-1.so.0.8
> No symbol table info available.
> #4  0x00000fb53bf408ab in yk_open_key_vid_pid () from 
> /usr/local/lib/libykpers-1.so.0.8
> No symbol table info available.
> #5  0x00000fb25fdac4d9 in kc_ykchalresp () from /home/daniell/kc/kc
> No symbol table info available.
> #6  0x00000fb25fd9f293 in main () from /home/daniell/kc/kc
> No symbol table info available.
> 
> These are the last couple of line from ktrace:
>  35302 kc       CALL  open(0x7f7ffffee1f0,0x2<O_RDWR>)
>  35302 kc       NAMI  "/dev/usb0"
>  35302 kc       RET   open -1 errno 13 Permission denied
>  35302 kc       CALL  kbind(0x7f7ffffede88,24,0x18365a7b5e816bae)
>  35302 kc       RET   kbind 0
>  35302 kc       CALL  open(0x7f7ffffee1f0,0x2<O_RDWR>)
>  35302 kc       NAMI  "/dev/usb1"
>  35302 kc       RET   open 7
>  35302 kc       CALL  kbind(0x7f7ffffede88,24,0x18365a7b5e816bae)
>  35302 kc       RET   kbind 0
>  35302 kc       CALL  ioctl(7,USB_DEVICEINFO,0x7f7ffffedf50)
>  35302 kc       PLDG  ioctl, "tty", errno 1 Operation not permitted
>  35302 kc       PSIG  SIGABRT SIG_DFL
>  35302 kc       NAMI  "kc.core"
> 
> 
> I don't know if this matters, but for even ykinfo(1) (in the ykpers port) to 
> work, I had to:
> # chmod g+w /dev/usb1
> # chmod g+rw /dev/ugen0.00
> 
> Could someone hit me with a clue-bat how to pledge for using a Yubikey (or 
> rather, I guess, any USB device?).
> 
> 
> Thanks in advance,
> Dani
>

Reply via email to