summary refs log tree commit diff stats
path: root/README.org
diff options
context:
space:
mode:
Diffstat (limited to 'README.org')
-rw-r--r--README.org27
1 files changed, 27 insertions, 0 deletions
diff --git a/README.org b/README.org
index d97dc4d..fb7e3ea 100644
--- a/README.org
+++ b/README.org
@@ -18,3 +18,30 @@ Pavo wraps other programs with /unveil/ & /pledge/.
 - Execpromises are added
 - Unveil calls are blocked
 - Command is executed
+* How is it useful?
+Let's take =echo= as an example. =echo='s job is to echo what you pass to
+it. It should never touch your =$HOME/.ssh=, let's say the next =echo=
+update is malicious & it tries to send your =$HOME/.ssh= to the attacker's
+servers. It will be able to do that but not if you wrap it around pavo.
+
+=pavo echo= will parse the config & force /unveil/ & /pledge/ on the malicious
+=echo=, it won't be able to read your =$HOME/.ssh= directory if it isn't
+present in pavo's config. Also uploading the file to the internet will
+kill the program immediately.
+
+This assumes that pavo's config file is secure in the first place, if it
+isn't then the attacker could simply change it. Also, =echo= is a bad
+example for this.
+
+Let's take another example. Let's say you want to run a binary
+downloaded from the internet, you kinda trust that person (you don't) &
+they say that the binary is a simple ascii game & will just print to
+terminal, do nothing else. You could wrap this binary around pavo before
+running it & give it limited permissions, like don't unveil anything &
+put only =stdio= in execpromises.
+
+If that binary tries to do anything apart from =stdio= the program will be
+killed.
+
+- Pavo's config file should be unwriteable at rest
+- The config file should only be writeable by the user