pledge(2): OpenBSD’s defensive approach to OS Security
Hello there,
I would like to introduce you all to the pledge(2)
which is used to restrict the system operations and supported only on OpenBSD at the time of writing the blog.
I am learning about OpenBSD kernel internals and development and would like to share some tips on how to learn about OpenBSD kernel internals and development.
Following materials I followed while learning about BSD kernel internals:
- the book “The design and implementation of the BSD operating system” by Kirk McKusick
- OpenBSD source code
- man pages and few presentations-papers on OpenBSD
- ask in mailing lists and OpenBSD Facebook group.
What is pledge(2)?
“pledge” refers to “a solemn promise or undertaking”
So, as in OpenBSD context:
Calling pledge(2) in a program means the program is promissing to the kernel that it will only use the resources which it informs about prior using them
For example: if a user-space program promises kernel to use only IO family calls then it can not perform/call any other family calls like network, process, etc. if it will try to call the other calls without prior informing to kernel then the kernel will abort() the process. How does it make a program more secure?
By limiting the operations of a program. For example:
- we write a program named “abc” that only needed the stdio to just print something to stdout
- then we have to add pledge to use only stdio.
- then, a malicious user found out that there is a vulnerability in our program which one can exploit to get into shell.
- exploiting our program to open a shell will result in the kernel killing the process with SIGABRT, which can not be catch/ignore and generate a log in the dmesg
- this happens because opening a shell out of current program needs others family operations like we need fork(2) which resides in “proc” and execution is in “exec” then for network activities “net” but these are not promissed to kernel so calling apis from such family will be forbidden and leads to abort()
after discussing with the developers, they mentioned that pledge(2) is not a system call filter. So, it is not used to restrict system calls, instead of that pledge(2) works on subset promise families like stdio, dns, inet, proc, net etc. but not directly on system calls like read, write, fork, etc.
pledge("read", NULL)
: incorrect way of using pledge(2)
pledge("stdio inet", NULL)
: correct way of using pledge(2)
and, based on the discussion with the developers they mentioned that pledge(2) works on behavioral approach not just like 1:1 approach with the system calls.
On 11 December 2017, Theo de Raadt said:
List: openbsd-tech
Subject: pledge execpromises
From: Theo de Raadt
Date: 2017-12-11 21:20:51
Message-ID: 6735.1513027251 () cvs ! openbsd ! org
This will probably be committed in the next day or so.
The 2nd argument of pledge() becomes execpromises, which is what
will gets activated after execve.
There is also a small new feature called "error", which causes
violating system calls to return -1 with ENOSYS rather than killing
the process. This must be used with EXTREME CAUTION because libraries
and programs are full of unchecked system calls. If you carry on past
one of these failures, your program is in uncharted territory and
risks of exploitation become high.
"error" is being introduced for a different reason: The pre-exec
process's expectation of what the post-exec process will do might
mismatch, so "error" allows things like starting an editor which has
no network access or maybe other restrictions in the future...
previously it was:
#include <unistd.h>
int pledge(const char *promises, const char *paths[]);
and now it is,
#include <unistd.h>
int pledge(const char *promises, const char *execpromises);
as per OpenBSD 6.2 stable and at the time of writing the blog, developers are still using pledge(const char *promises, const char *paths[])
so our focus will be on the same
How to use pledge() in a program? Let’s take a simple hello world example:
|
|
In the above example, the program takes pledge that it will only use stdio operations.
Now, if the above program tries to open network socket(2) or any other operation like fork(2), then the kernel will kill this program with SIGABRT signal.
Let’s take another example:
|
|
In the above code snippet, the first parameter of pledge(2) is empty and according to OpenBSD man page,
A promises value of "" restricts the process to the _exit(2)
# cat sampe.c
#include <unistd.h>
#include <stdio.h>
int
main() {
if(pledge("stdio",NULL) == -1) {
err(1,"pledge");
}
printf("Pledged\n");
return 0;
}
# ./testing
Pledged
#
# vim sampe.c
# gcc -o testing_reduced sampe.c
# cat sampe.c
#include <unistd.h>
#include <stdio.h>
int
main() {
if(pledge("",NULL) == -1) {
err(1,"pledge");
}
printf("Pledged\n");
return 0;
}
# ./testing_reduced
Abort trap (core dumped)
#
Introduction on the working of pledge(2) - kernel internals⌗
This part was a little difficult to understand at first. I am very thankful to OpenBSD developers: Marc Espie, Benny Löfgren, Bob Beck, Stuart Henderson and Otto Moerbeek for giving their precious time and resolving queries related to kernel internals of pledge(2).
pledge("stdio", NULL); or pledge("stdio inet proc route dns", NULL)
the above string is split into separate words like “stdio” or “‘stdio’, ‘inet’, ‘proc’, ‘route’, ‘dns’”
after that these split words perform look-up operation from pledgereq[]
array and if found then their respective flags will return
Following pledgereq[]
array:
static const struct {
char *name;
uint64_t flags;
} pledgereq[] = {
{ "audio", PLEDGE_AUDIO },
{ "bpf", PLEDGE_BPF },
{ "chown", PLEDGE_CHOWN | PLEDGE_CHOWNUID },
{ "cpath", PLEDGE_CPATH },
{ "disklabel", PLEDGE_DISKLABEL },
{ "dns", PLEDGE_DNS },
{ "dpath", PLEDGE_DPATH },
{ "drm", PLEDGE_DRM },
{ "error", PLEDGE_ERROR },
{ "exec", PLEDGE_EXEC },
{ "fattr", PLEDGE_FATTR | PLEDGE_CHOWN },
{ "flock", PLEDGE_FLOCK },
{ "getpw", PLEDGE_GETPW },
{ "id", PLEDGE_ID },
{ "inet", PLEDGE_INET },
{ "mcast", PLEDGE_MCAST },
{ "pf", PLEDGE_PF },
{ "proc", PLEDGE_PROC },
{ "prot_exec", PLEDGE_PROTEXEC },
{ "ps", PLEDGE_PS },
{ "recvfd", PLEDGE_RECVFD },
{ "route", PLEDGE_ROUTE },
{ "rpath", PLEDGE_RPATH },
{ "sendfd", PLEDGE_SENDFD },
{ "settime", PLEDGE_SETTIME },
{ "stdio", PLEDGE_STDIO },
{ "tape", PLEDGE_TAPE },
{ "tmppath", PLEDGE_TMPPATH },
{ "tty", PLEDGE_TTY },
{ "unix", PLEDGE_UNIX },
{ "unveil", PLEDGE_UNVEIL },
{ "vminfo", PLEDGE_VMINFO },
{ "vmm", PLEDGE_VMM },
{ "wpath", PLEDGE_WPATH },
{ "wroute", PLEDGE_WROUTE },
};
pledgereq array contains macro for every promises; for example, stdio relates to PLEDGE_STDIO. Now, these macros expand into their specific hex pledge values, like PLEDGE_STDIO
expands to 0x0000000000000008ULL
For other macros and their expansions as mentioned below:
#include <sys/cdefs.h;>
/*
* pledge(2) requests
*/
#define PLEDGE_ALWAYS 0xffffffffffffffffULL
#define PLEDGE_RPATH 0x0000000000000001ULL /* allow open for read */
#define PLEDGE_WPATH 0x0000000000000002ULL /* allow open for write */
#define PLEDGE_CPATH 0x0000000000000004ULL /* allow creat, mkdir, unlink etc */
#define PLEDGE_STDIO 0x0000000000000008ULL /* operate on own pid */
#define PLEDGE_TMPPATH 0x0000000000000010ULL /* for mk*temp() */
#define PLEDGE_DNS 0x0000000000000020ULL /* DNS services */
#define PLEDGE_INET 0x0000000000000040ULL /* AF_INET/AF_INET6 sockets */
#define PLEDGE_FLOCK 0x0000000000000080ULL /* file locking */
#define PLEDGE_UNIX 0x0000000000000100ULL /* AF_UNIX sockets */
#define PLEDGE_ID 0x0000000000000200ULL /* allow setuid, setgid, etc */
#define PLEDGE_TAPE 0x0000000000000400ULL /* Tape ioctl */
#define PLEDGE_GETPW 0x0000000000000800ULL /* YP enables if ypbind.lock */
#define PLEDGE_PROC 0x0000000000001000ULL /* fork, waitpid, etc */
#define PLEDGE_SETTIME 0x0000000000002000ULL /* able to set/adj time/freq */
#define PLEDGE_FATTR 0x0000000000004000ULL /* allow explicit file st_* mods */
#define PLEDGE_PROTEXEC 0x0000000000008000ULL /* allow use of PROT_EXEC */
#define PLEDGE_TTY 0x0000000000010000ULL /* tty setting */
#define PLEDGE_SENDFD 0x0000000000020000ULL /* AF_UNIX CMSG fd sending */
#define PLEDGE_RECVFD 0x0000000000040000ULL /* AF_UNIX CMSG fd receiving */
#define PLEDGE_EXEC 0x0000000000080000ULL /* execve, child is free of pledge */
#define PLEDGE_ROUTE 0x0000000000100000ULL /* routing lookups */
#define PLEDGE_MCAST 0x0000000000200000ULL /* multicast joins */
#define PLEDGE_VMINFO 0x0000000000400000ULL /* vminfo listings */
#define PLEDGE_PS 0x0000000000800000ULL /* ps listings */
#define PLEDGE_DISKLABEL 0x0000000002000000ULL /* disklabels */
#define PLEDGE_PF 0x0000000004000000ULL /* pf ioctls */
#define PLEDGE_AUDIO 0x0000000008000000ULL /* audio ioctls */
#define PLEDGE_DPATH 0x0000000010000000ULL /* mknod & mkfifo */
#define PLEDGE_DRM 0x0000000020000000ULL /* drm ioctls */
#define PLEDGE_VMM 0x0000000040000000ULL /* vmm ioctls */
#define PLEDGE_CHOWN 0x0000000080000000ULL /* chown(2) family */
#define PLEDGE_CHOWNUID 0x0000000100000000ULL /* allow owner/group changes */
#define PLEDGE_BPF 0x0000000200000000ULL /* bpf ioctl */
#define PLEDGE_ERROR 0x0000000400000000ULL /* ENOSYS instead of kill */
#define PLEDGE_WROUTE 0x0000000800000000ULL /* interface address ioctls */
#define PLEDGE_UNVEIL 0x0000001000000000ULL /* allow unveil() */
/*
* Bits outside PLEDGE_USERSET are used by the kernel itself
* to track program behaviours which have been observed.
*/
#define PLEDGE_USERSET 0x0fffffffffffffffULL
#define PLEDGE_STATLIE 0x4000000000000000ULL
#define PLEDGE_YPACTIVE 0x8000000000000000ULL /* YP use detected and allowed */
now, all PLEDGE_* macros will perform or("|") operation with each other and as per the promises in the pledge(2) from (user-space) pseudo algorithm for better understanding given below:
uint64_t flags=0
for content_of_PLEDGE_macro from ["stdio", "inet", "proc", "dns", "proc", "route"]
flags |= content_of_PLEDGE_macro
ps_pledge = flags
Calculation of pledge_bit (pledge value) in kernel mode, (only for demonstration and understanding the concept better):
|
|
Output:
test@openbsd:~$ python pledge_python.py "stdio"
pledge_bits :0x8
test@openbsd:~$
test@openbsd:~$ python pledge_python.py "stdio inet proc route dns"
pledge_bits :0x101068
test@openbsd:~$
test@openbsd:~$ python pledge_python.py "stdio abcd"
'abcd': Undefined promise(s) made
test@openbsd:~$
test@openbsd:~$ python pledge_python.py ""
ABRT (SIGABRT)
there are lots of features and more detailed internals pending to cover which we will be discussing some other time in future
but I will suggest and encourage everyone to read the user and kernel code of the pledge(2) to get more understanding about the internals sys/kern/kern_pledge.c
.
One of the interesting part about pledge(2) is that the pledge(2) does check that you never go in increasing the pledge flags once a process gets pledged. So, it works mainly in decreasing order.
Finally!!
If something is missing or not correct, please feel free to update.