
Pledge and Unveil in OpenBSD [pdf] - gshrikant
https://www.openbsd.org/papers/BeckPledgeUnveilBSDCan2018.pdf
======
Panino
Awesome!

Given the Chrome example starting on page 6, here's my guess as to how pledge
and unveil will contain Chrome to e.g. protect SSH keys. First, 3 of the 5
Chrome processes are already pledged to disallow filesystem reads. The two
remaining ones (RenderProcess and UtilityProcess) can be unveiled to allow
directories like

    
    
      * ~/.config/chromium
      * ~/.cache/chromium
      * ~/Downloads
      * /tmp
      * and anything important I don't know of
    

Additionally, if unveil works like pledge and can be further restricted after
e.g. reading files into memory, unveils can then be undone. Anyone know if the
following would work to first allow access to /tmp and then revoke that
access?

    
    
      unveil("/tmp", "rw");
      /* do some work */
      unveil("/tmp", "");

~~~
toxik
Shouldn't it be veil()?

~~~
badsectoracula
The idea is that everything is "veiled" and you "unveil" the stuff you need
access to.

~~~
gpvos
Yes, but the weird thing is that before you call unveil, _everything_ is
already unveiled, which is not in sync with the dictionary definition of
unveiling. I hope a better name is found.

~~~
notaplumber
It's unveiling in the context of pledge, as you explicitly declare the things
to be unveiled.

~~~
gpvos
Your comment made me try to look up the exact semantics of unveil(2). It was a
bit hard to find (I could only find something on its predecessor pledgepath),
but apparently, unveil doesn't take effect immediately, but only at an
invocation of pledge(2) (which usually follows immediately after it). That was
not at all clear from TFA.

------
akavel
The PDF has no introduction section, seems to be aimed at people who already
know what it's talking about. Can anyone shed some light on what is the idea
here? I honestly don't understand what's going on, apart from that it seems to
be some security-related feature (or actually two of them?)

~~~
sigjuice
pledge is seccomp

~~~
brynet
Not at all, for example you can't implement the ratcheting down semantics of
pledge() using seccomp. Say starting with a broader promise set "stdio rpath
recvfd", and then dropping to "stdio" after full init.

pledge() can also be found in over 85% of OpenBSD's base system.

~~~
agumonkey
brings me to the next question: are there linux equivalent ?

~~~
2trill2spill
There's Capsicum for Linux[1]. Its a port of Capsicum[2] from FreeBSD to
Linux. Capsicum was a joint project between the FreeBSD foundation, Cambridge
and Google to create a hybrid capabilities framework. But Capsicum allows
developers to do the same privilege dropping that pledge does. However
Capsicum is more fine grained then pledge so its less easy to use. Also
Capsicum for Linux is also out of tree currently.

[1]: [http://www.capsicum-linux.org/](http://www.capsicum-linux.org/) [2]:
[https://www.freebsd.org/cgi/man.cgi?capsicum(4)](https://www.freebsd.org/cgi/man.cgi?capsicum\(4\))

~~~
jpeeler
Link #1 is neat for Linux users, but Google seems to have stopped updating
Capsicum after v4.11 (which was released April 2017).

------
brynet
These are the slides from Bob Beck (beck@'s) talk at BSDCan 2018 (Jun 8-9th),
apparently missing its first page.. [0]

[http://www.bsdcan.org/2018/schedule/events/968.en.html](http://www.bsdcan.org/2018/schedule/events/968.en.html)

Video should eventually show up on YouTube.

[0]
[https://twitter.com/bob_beck/status/1005162340956794880](https://twitter.com/bob_beck/status/1005162340956794880)
;-)

~~~
brynet
A somewhat related talk from BSDCan was Florian Obser's slaacd(8) - "A
privilege separated and sandboxed IPv6 Stateless Address AutoConfiguration
Daemon"

[https://www.openbsd.org/papers/florian_slaacd_bsdcan2018.pdf](https://www.openbsd.org/papers/florian_slaacd_bsdcan2018.pdf)

[http://www.bsdcan.org/2018/schedule/events/929.en.html](http://www.bsdcan.org/2018/schedule/events/929.en.html)

------
zdw
Nice. Back in earlier versions of pledge(2), there was another argument that
took paths to allow fs access on, as unveil(2) is doing, but it was never
supported/implemented. (see
[http://man.openbsd.org/OpenBSD-6.0/pledge.2](http://man.openbsd.org/OpenBSD-6.0/pledge.2)
for the old syntax)

------
teamhappy
Does anybody here know when the videos will be up?

