#+SETUPFILE: ~/.emacs.d/org-templates/projects.org
#+EXPORT_FILE_NAME: index
#+TITLE: Pavo

Pavo wraps other programs with /unveil/ & /pledge/.

*Note*: This is still a work in progress, just the progress is very slow.
I still think this is a neat idea, will complete this someday.

*Note*: Someone made this & posted it on =misc@=.
#+BEGIN_QUOTE
[ANNOUNCE] pledge(1): an unprivileged sandboxing tool for OpenBSD
https://marc.info/?l=openbsd-misc&m=160070752916257&w=2
#+END_QUOTE

| Project Home    | [[https://andinus.nand.sh/pavo/][Pavo]]           |
| Source Code     | [[https://git.tilde.institute/andinus/pavo][Andinus / Pavo]] |
| GitHub (Mirror) | [[https://github.com/andinus/pavo][Pavo - GitHub]]  |

*Tested on*:
- OpenBSD 6.6 amd64

*Note*: This program has only been tested to work with /echo/, it fails with
many other commands.

* Working
- Pavo parses the config file
- Directories & commands are unveiled
- Execpromises are added
- Unveil calls are blocked
- Command is executed
* How is it useful?
Let's take =echo= as an example. =echo='s job is to echo what you pass to
it. It should never touch your =$HOME/.ssh=, let's say the next =echo=
update is malicious & it tries to send your =$HOME/.ssh= to the attacker's
servers. It will be able to do that but not if you wrap it around pavo.

=pavo echo= will parse the config & force /unveil/ & /pledge/ on the malicious
=echo=, it won't be able to read your =$HOME/.ssh= directory if it isn't
present in pavo's config. Also uploading the file to the internet will
kill the program immediately.

This assumes that pavo's config file is secure in the first place, if it
isn't then the attacker could simply change it. Also, =echo= is a bad
example for this.

Let's take another example. Let's say you want to run a binary
downloaded from the internet, you kinda trust that person (you don't) &
they say that the binary is a simple ascii game & will just print to
terminal, do nothing else. You could wrap this binary around pavo before
running it & give it limited permissions, like don't unveil anything &
put only =stdio= in execpromises.

If that binary tries to do anything apart from =stdio= the program will be
killed.

- Pavo's config file should be unwriteable at rest
- The config file should only be writeable by the user
* Installation
** Pre-built binaries
Pre-built binaries are available for OpenBSD (386, amd64, arm, arm64).

Example config file can be [[https://github.com/andinus/pavo/blob/master/configs/pavo.json][downloaded here]].
*** v0.1.0
Download the binaries from [[https://archive.org/details/pavo-v0.1.0][archive.org]]

*Example URL*: =https://archive.org/download/pavo-v0.1.0/pavo-v0.1.0-openbsd-386=
| Arch  | SHA256                                                           |
|-------+------------------------------------------------------------------|
| 386   | 926d6009567fec6c270eea16d380b58f396be6f1d51d513ff0e43286760f4fa9 |
| amd64 | b0fadad9e0328377b31eb70d369a0e2b91f851310e579abab4023496776798ca |
| arm   | 0033409f32569c2f59879bb256854b7c6f1043ebf3fe548c7ee4d9b7132839ea |
| arm64 | b75648c5a3b76d51cad63172ec164eff4974a6a4cca453fe41441d556fa04a07 |