pledge("everything", NULL) is not the same as not calling pledge.
roy hills <royhi...@hotmail.com> wrote:
> I'm using pledge(2) to harden an application on OpenBSD, but cannot find
> a promise that will allow it to run. Even after adding all the promises
> listed in the pledge manpage (apart from "error") it still fails with
> SIGABRT.
>
> I'm calling this:
>
> pledge("stdio rpath wpath cpath dpath tmppath inet mcast fattr chown "
> "flock unix dns getpw sendfd recvfd tape tty proc exec "
> "prot_exec settime ps vminfo id pf route wroute audio video "
> "bpf unveil", NULL);
>
> and getting this:
>
> openbsd72$ kdump | tail
> 71505 arp-scan RET kbind 0
> 71505 arp-scan CALL open(0xf00c9939b8a,0x2<O_RDWR>)
> 71505 arp-scan NAMI "/dev/bpf"
> 71505 arp-scan RET open 3
> 71505 arp-scan CALL kbind(0x7f7ffffc9638,24,0x9e68113ba2b6b588)
> 71505 arp-scan RET kbind 0
> 71505 arp-scan CALL ioctl(3,BIOCVERSION,0x7f7ffffc9740)
> 71505 arp-scan PLDG ioctl, "tty", errno 1 Operation not permitted
> 71505 arp-scan PSIG SIGABRT SIG_DFL
> 71505 arp-scan NAMI "arp-scan.core"
> It is failing in the libpcap library, with the calling sequence:
> pcap_findalldevs() -> pcap_open_live() -> pcap_activate() -> ioctl()
>
> For context I'm applying the pledge patch from the OpenBSD arp-scan
> port to the upstream code on github. The initial patch, which pledges a
> small set of promises after setup is complete is working fine. But when I
> try to add a more extensive pledge() as the first statement in main(), I
> cannot find a set of promises that will allow it to run the setup code.
>
> Here's my outline of the planned changes from the pull request:
>
> "@sthen: this is the PR for your OpenBSD pledge(2) patch. I'm planning to
> extend it a bit by calling pledge initially as the very first thing in
> main() with the most that arp-scan will ever need, including rpath, wpath
> and perhaps others in addition to stdio dns bpf. Then, when we've parsed
> the args and opened files & sockets, call pledge again with a reduced set.
> Maybe could also tune the reduced set based on args - I suspect we don't
> need dns without --resolve.
>
> I was also considering changing the execpromises from NULL to "" (empty
> string). From my reading of the manpage, promises (and presumably also
> execpromises) of NULL mean don't change current settings (presumably
> everything) whereas an empty string means nothing (well apart from
> _exit(2)). It probably won't change much in practice, as the process
> would never be able to call execve(), but arp-scan doesn't ever fork()
> or execve() so I don't think we need any execpromises at all."
>
> Full details in this github pull request:
> https://github.com/royhills/arp-scan/pull/132
>
> Any ideas what I'm doing wrong?
>
> Thanks,
>
> Roy
>
