Thanks for the info. Does that mean there are some functions that aren't
covered by any of the available promises? If so I guess this ioctl() might be
an example.
I'm not actually trying to pledge everything - that was just me trying to find
out what promises I need so I added all of them. I was hoping to be able to
start with a larger set and then slim down to a smaller set after setup. Looks
like that might not be possible then I guess.
Thanks,
Roy
-----Original Message-----
From: Theo de Raadt <dera...@openbsd.org>
Sent: 27 January 2023 17:05
To: roy hills <royhi...@hotmail.com>
Cc: misc@openbsd.org
Subject: Re: ioctl BIOCVERSION command causes SIGABRT after pledge(2) with all
promises from the manpage
pledge("everything", NULL) is not the same as not calling pledge.
roy hills <royhi...@hotmail.com> wrote:
> I'm using pledge(2) to harden an application on OpenBSD, but cannot
> find a promise that will allow it to run. Even after adding all the
> promises listed in the pledge manpage (apart from "error") it still
> fails with SIGABRT.
>
> I'm calling this:
>
> pledge("stdio rpath wpath cpath dpath tmppath inet mcast fattr chown "
> "flock unix dns getpw sendfd recvfd tape tty proc exec "
> "prot_exec settime ps vminfo id pf route wroute audio video "
> "bpf unveil", NULL);
>
> and getting this:
>
> openbsd72$ kdump | tail
> 71505 arp-scan RET kbind 0
> 71505 arp-scan CALL open(0xf00c9939b8a,0x2<O_RDWR>)
> 71505 arp-scan NAMI "/dev/bpf"
> 71505 arp-scan RET open 3
> 71505 arp-scan CALL kbind(0x7f7ffffc9638,24,0x9e68113ba2b6b588)
> 71505 arp-scan RET kbind 0
> 71505 arp-scan CALL ioctl(3,BIOCVERSION,0x7f7ffffc9740)
> 71505 arp-scan PLDG ioctl, "tty", errno 1 Operation not permitted
> 71505 arp-scan PSIG SIGABRT SIG_DFL
> 71505 arp-scan NAMI "arp-scan.core"
> It is failing in the libpcap library, with the calling sequence:
> pcap_findalldevs() -> pcap_open_live() -> pcap_activate() -> ioctl()
>
> For context I'm applying the pledge patch from the OpenBSD arp-scan
> port to the upstream code on github. The initial patch, which pledges
> a small set of promises after setup is complete is working fine. But
> when I try to add a more extensive pledge() as the first statement in
> main(), I cannot find a set of promises that will allow it to run the setup
> code.
>
> Here's my outline of the planned changes from the pull request:
>
> "@sthen: this is the PR for your OpenBSD pledge(2) patch. I'm planning
> to extend it a bit by calling pledge initially as the very first thing
> in
> main() with the most that arp-scan will ever need, including rpath,
> wpath and perhaps others in addition to stdio dns bpf. Then, when
> we've parsed the args and opened files & sockets, call pledge again with a
> reduced set.
> Maybe could also tune the reduced set based on args - I suspect we
> don't need dns without --resolve.
>
> I was also considering changing the execpromises from NULL to ""
> (empty string). From my reading of the manpage, promises (and
> presumably also
> execpromises) of NULL mean don't change current settings (presumably
> everything) whereas an empty string means nothing (well apart from
> _exit(2)). It probably won't change much in practice, as the process
> would never be able to call execve(), but arp-scan doesn't ever fork()
> or execve() so I don't think we need any execpromises at all."
>
> Full details in this github pull request:
> https://github.com/royhills/arp-scan/pull/132
>
> Any ideas what I'm doing wrong?
>
> Thanks,
>
> Roy
>
