I'm using pledge(2) to harden an application on OpenBSD, but cannot find
a promise that will allow it to run. Even after adding all the promises
listed in the pledge manpage (apart from "error") it still fails with
SIGABRT.
I'm calling this:
pledge("stdio rpath wpath cpath dpath tmppath inet mcast fattr chown "
"flock unix dns getpw sendfd recvfd tape tty proc exec "
"prot_exec settime ps vminfo id pf route wroute audio video "
"bpf unveil", NULL);
and getting this:
openbsd72$ kdump | tail
71505 arp-scan RET kbind 0
71505 arp-scan CALL open(0xf00c9939b8a,0x2<O_RDWR>)
71505 arp-scan NAMI "/dev/bpf"
71505 arp-scan RET open 3
71505 arp-scan CALL kbind(0x7f7ffffc9638,24,0x9e68113ba2b6b588)
71505 arp-scan RET kbind 0
71505 arp-scan CALL ioctl(3,BIOCVERSION,0x7f7ffffc9740)
71505 arp-scan PLDG ioctl, "tty", errno 1 Operation not permitted
71505 arp-scan PSIG SIGABRT SIG_DFL
71505 arp-scan NAMI "arp-scan.core"
It is failing in the libpcap library, with the calling sequence:
pcap_findalldevs() -> pcap_open_live() -> pcap_activate() -> ioctl()
For context I'm applying the pledge patch from the OpenBSD arp-scan
port to the upstream code on github. The initial patch, which pledges a
small set of promises after setup is complete is working fine. But when I
try to add a more extensive pledge() as the first statement in main(), I
cannot find a set of promises that will allow it to run the setup code.
Here's my outline of the planned changes from the pull request:
"@sthen: this is the PR for your OpenBSD pledge(2) patch. I'm planning to
extend it a bit by calling pledge initially as the very first thing in
main() with the most that arp-scan will ever need, including rpath, wpath
and perhaps others in addition to stdio dns bpf. Then, when we've parsed
the args and opened files & sockets, call pledge again with a reduced set.
Maybe could also tune the reduced set based on args - I suspect we don't
need dns without --resolve.
I was also considering changing the execpromises from NULL to "" (empty
string). From my reading of the manpage, promises (and presumably also
execpromises) of NULL mean don't change current settings (presumably
everything) whereas an empty string means nothing (well apart from
_exit(2)). It probably won't change much in practice, as the process
would never be able to call execve(), but arp-scan doesn't ever fork()
or execve() so I don't think we need any execpromises at all."
Full details in this github pull request:
https://github.com/royhills/arp-scan/pull/132
Any ideas what I'm doing wrong?
Thanks,
Roy
