-
Notifications
You must be signed in to change notification settings - Fork 0
/
abstain.1
200 lines (200 loc) · 3.88 KB
/
abstain.1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
.Dd $Mdocdate$
.Dt ABSTAIN 1
.Os
.Sh NAME
.Nm abstain
.Nd selectively disallow
.Xr pledge 2
promises for program execution
.Sh SYNOPSIS
.Nm abstain
.Op Fl lev
.Op Fl p Ar promise Ns Op Ar ,promise,...
.Op Fl p Ar promise Ns Op Ar ,promise,...
.Ar binary Op Ar arguments Ar ...
.Sh DESCRIPTION
.Nm
executes a
.Ar binary
with
.Pq optional
.Ar arguments
using
.Xr pledge 2
.Em execpromises .
Unlike
.Xr pledge 2 Ns 's
syntax of specifying arguments for
.Em addition ,
.Nm Ns 's
.Ar promises
are listed for
.Em subtraction .
This means that without any
.Fl p
.Ar promises ,
the maximal number of
.Xr pledge 2
.Ar promises
are permitted.
.Po
This doesn't mean that no restrictions are imposed by
.Xr pledge 2 .
.Pc
To disallow
.Ar promises ,
specify them with
.Fl p
in a comma-separated list and/or with multiple
.Fl p
arguments.
.Pp
.Nm
imposes a
.Xr pledge 2
.Em promise set
on the application
.Em as a whole .
Depending on the nature of the application, it could fail to launch or abort execution at a later stage when a
.Xr pledge 2
violation occurs.
.Pp
Due to the nature of
.Em execpromises ,
the restrictions will propagate to children of the application and new processes spawned by
.Xr execve 2
.Po
see the
.Xr make 1
example below
.Pc .
.Pp
The
.Sq error
.Ar promise
is disabled by default, but can be added with
.Fl e .
.Pp
The
.Fl l
flag prints all possible
.Ar promises
to the standard output.
.Pp
Use
.Fl v
to display the command passed to
.Xr execvp 3
and the
.Em execpromises .
.Sh EXAMPLES
Prohibit file system modification:
.Bd -literal -offset indent
$ abstain -p wpath,cpath,dpath,fattr,chown binary arguments
.Ed
.Pp
If you run with
.Ar kern.audio.record
and/or
.Ar kern.video.record
enabled
.Po
see
.Xr sysctl 8 ,
not recommended as default
.Pc ,
you can selectively prohibit audio/video access, here with
.Xr video 1 :
.Bd -literal -offset indent
$ abstain -p audio,video video
Abort trap (core dumped)
.Ed
.Pp
Use
.Fl e
so that the program will receive
.Dv ENOSYS
instead of
.Dv SIGABRT:
.Bd -literal -offset indent
$ abstain -ep audio,video video
video: VIDIOC_QUERYCAP: Function not implemented
video: ioctl STREAMOFF: Function not implemented
.Ed
.Pp
Prohibit network access, for example to assess if a build system truly runs in offline mode:
.Bd -literal -offset indent
$ abstain -p inet make
curl https://example.com/ -o /tmp/example.com.html
Abort trap (core dumped)
*** Error 134 in /tmp (Makefile:2 'all')
.Ed
.Pp
And now with
.Fl e :
.Bd -literal -offset indent
$ abstain -ep inet make
curl https://example.com/ -o /tmp/example.com.html
\&...
curl: (7) Failed to connect to example.com port [...]
*** Error 7 in /tmp (Makefile:2 'all')
.Ed
.Pp
If
.Nm
encounters a less restrictive
.Xr pledge 2
call,
an error is thrown by
.Xr pledge 2
that needs to be handled by the calling program:
.Bd -literal -offset indent
$ abstain -p cpath touch /tmp/test
touch: pledge: Operation not permitted
$ file /tmp/test
/tmp/test: cannot stat '/tmp/test' (No such file or directory)
.Ed
.Sh EXIT STATUS
As
.Nm
calls
.Xr execvp 3 ,
it has no process to return to.
If any error occurs prior to
.Xr execvp 3 ,
.Nm
will return -1.
.Sh SEE ALSO
.Xr pledge 2
.Xr execvp 3
.Xr unveilro 1
.Sh AUTHORS
.An -nosplit
.An Thomas Frohwein Aq Mt [email protected]
.Sh CAVEATS
Due to the nature of
.Xr pledge 2
.Em execpromises ,
the restrictions are applied to the entire program invoked by
.Xr execvp 3 ,
including future processes spawned by other calls to
.Xr execve 2
and related syscalls.
The only way to apply more fine-grained
.Xr pledge 2
is direct source modification of the program in question.
.Pp
If a program calls
.Xr pledge 2
with
.Ar promises
prohibited by
.Nm ,
this will lead to an error.
Depending on the program's error handling, this could cause an inconsistent state and potentially a failure to invoke a reduction in other
.Xr pledge 2
promises.
.Pp
Use of
.Fl e
can lead to an inconsistent state of the program and therefore should be used judiciously.