Re: ioctl BIOCVERSION command causes SIGABRT after pledge(2) with all promises from the manpage

Thanks for the info. Does that mean there are some functions that aren't
covered by any of the available promises? If so I guess this ioctl() might be
an example.

I'm not actually trying to pledge everything - that was just me trying to find
out what promises I need so I added all of them. I was hoping to be able to
start with a larger set and then slim down to a smaller set after setup. Looks
like that might not be possible then I guess.

Thanks,

Roy

-----Original Message-----
From: Theo de Raadt <deraadt@openbsd.org>
Sent: 27 January 2023 17:05
To: roy hills <royhills@hotmail.com>
Cc: misc@openbsd.org
Subject: Re: ioctl BIOCVERSION command causes SIGABRT after pledge(2) with all promises from the manpage

pledge("everything", NULL) is not the same as not calling pledge.

roy hills <royhills@hotmail.com> wrote:

> I'm using pledge(2) to harden an application on OpenBSD, but cannot
> find a promise that will allow it to run. Even after adding all the
> promises listed in the pledge manpage (apart from "error") it still
> fails with SIGABRT.
>
> I'm calling this:
>
> pledge("stdio rpath wpath cpath dpath tmppath inet mcast fattr chown "
> "flock unix dns getpw sendfd recvfd tape tty proc exec "
> "prot_exec settime ps vminfo id pf route wroute audio video "
> "bpf unveil", NULL);
>
> and getting this:
>
> openbsd72$ kdump | tail
> 71505 arp-scan RET kbind 0
> 71505 arp-scan CALL open(0xf00c9939b8a,0x2<O_RDWR>)
> 71505 arp-scan NAMI "/dev/bpf"
> 71505 arp-scan RET open 3
> 71505 arp-scan CALL kbind(0x7f7ffffc9638,24,0x9e68113ba2b6b588)
> 71505 arp-scan RET kbind 0
> 71505 arp-scan CALL ioctl(3,BIOCVERSION,0x7f7ffffc9740)
> 71505 arp-scan PLDG ioctl, "tty", errno 1 Operation not permitted
> 71505 arp-scan PSIG SIGABRT SIG_DFL
> 71505 arp-scan NAMI "arp-scan.core"
> It is failing in the libpcap library, with the calling sequence:
> pcap_findalldevs() -> pcap_open_live() -> pcap_activate() -> ioctl()
>
> For context I'm applying the pledge patch from the OpenBSD arp-scan
> port to the upstream code on github. The initial patch, which pledges
> a small set of promises after setup is complete is working fine. But
> when I try to add a more extensive pledge() as the first statement in
> main(), I cannot find a set of promises that will allow it to run the setup code.
>
> Here's my outline of the planned changes from the pull request:
>
> "@sthen: this is the PR for your OpenBSD pledge(2) patch. I'm planning
> to extend it a bit by calling pledge initially as the very first thing
> in
> main() with the most that arp-scan will ever need, including rpath,
> wpath and perhaps others in addition to stdio dns bpf. Then, when
> we've parsed the args and opened files & sockets, call pledge again with a reduced set.
> Maybe could also tune the reduced set based on args - I suspect we
> don't need dns without --resolve.
>
> I was also considering changing the execpromises from NULL to ""
> (empty string). From my reading of the manpage, promises (and
> presumably also
> execpromises) of NULL mean don't change current settings (presumably
> everything) whereas an empty string means nothing (well apart from
> _exit(2)). It probably won't change much in practice, as the process
> would never be able to call execve(), but arp-scan doesn't ever fork()
> or execve() so I don't think we need any execpromises at all."
>
> Full details in this github pull request:
> https://github.com/royhills/arp-scan/pull/132
>
> Any ideas what I'm doing wrong?
>
> Thanks,
>
> Roy
>