Thursday, 8 October 2015

OpenBSD's tame

Hi folks,

I heard and read quite a few about recent introduction of the tame API inside OpenBSD, so I took the opportunity I switched off my OpenBSD's laptop to give it a try. Indeed, limiting available syscalls for a specific C's app/library is quite appealing whereas I remember I tried 1 or 2 years ago the seccomp's Linux API (and its great complexity) I guessed just by looking at the unique tame function signature, the life would get a lot easier :-)

So let's say I have an application which is supposed to read a file, allocate dynamically some memory ... So no network operation, not forking itself and so on ... really just those !

Simple, the tame API works per group of functions, so in our case, malloc and rw groups (or simply stdio !)

if (tame("stdio", NULL) == -1) {
       errx(1, "tame failed: %s", strerror(errno));

In case the application tries somehow a non allowed function's call like simply those ...
if (chroot("/mnt/chroot") == -1)
if (chdir("/") == -1)

The process receives a SIGKILL signal (or a SIGABRT if abort is set). Kinda "brutal" though for a simple case that s fine but in a complex application I may appreciate to shutdown the application a bit more ... smoothly. Also, the trade off between ease and flexibility is visible, you may wish to have more fine grained control, maybe per function as well, but we can't have everything, maybe later ... But having tame as it is, is already pretty good, with all the type of threats, restricting their surface is important and OpenBSD needed to come up with a solution and they did !

Labels: ,

View David Carlier's profile on LinkedIn


Post a Comment

Subscribe to Post Comments [Atom]

<< Home