OpenBSD Journal

p2k17 Hackathon Report: Anthony J. Bentley on firmware, games and securing pkg_add runs

Contributed by rueda on from the portable-gaming dept.

The next p2k17 report comes from Anthony J. Bentley (bentley@):

Back in April, Stefan Sperling (stsp@) asked if anyone was interested in using Atheros’s freely licensed sources to build firmware for athn(4) USB wireless cards. I never saw any takers on the mailing list, so when coming up with ideas to work on this hackathon I decided to give it a shot.

When I arrived in Berlin, Stefan had already started work on the same project. After a few days of back and forth with him and Stuart Henderson (sthen@), I came up with packages for a GCC cross-compiler, firmwares built with the cross-compiler, and a minimal patch for athn-firmware to install these firmwares.

The built firmware doesn’t perfectly match the precompiled firmware athn currently uses, so the wireless driver still needs some modifications to cope, but it hopefully won’t be too difficult to get things running. And since the source is available and freely licensed, potential future work includes both auditing the firmware and fixing any found bugs or vulnerabilities.

The next item I wanted to get done was mitigating potential danger in pkg_add(1). Some people might be unaware that pkg_add does more than just copy files from a package to the filesystem—it can execute code during installation too, if the packing list contains @exec. This is most often used for desktop software: such packages typically include special files containing menu entries, icons, filetype handlers, and so on, and use @exec to update a systemwide cache of these special files.

For example, every time the mgba-qt package is installed or updated, a program called update-desktop-database runs and adds the file mgba-qt.desktop to the desktop cache, so it shows up in your desktop’s programs menu. And every time the package is deleted, update-desktop-database removes mgba-qt.desktop from the desktop cache.

Notice the word “updated” in there. Yes, update-desktop-database runs once per package, every upgrade. It parses custom file formats—a task notorious in today’s world for being prone to vulnerabilities—and what’s parsed includes data from hundreds of potentially untrustworthy sources. And it does so as the superuser. This situation just screams for privilege reduction.

I mentioned it casually in the presence of Jasper Lievisse Adriaanse (jasper@)… and was happy to be greeted the next day with the news that he’d pledge(2)d the biggest risks: update-desktop-database, update-mime-database, and gtk-update-icon-cache! Nearly 800 packages run one of these programs on install, so modifying just these three makes a huge impact.

OpenBSD’s pledge() API is really well suited for this purpose. It locks down programs to a minimal subset of capabilities, perfect for processes we want to lock down for security reasons. It is also very simple to use, and the patches introduced to the tree are relatively unobtrusive.

I followed up with pledges for the remaining most common programs (glib-compile-schemas for desktop software settings, and the font tools fc-cache and mkfontscale—soon to be committed). Jasper and I tossed around some ideas to ratchet things down even further, but tabled them for the moment as they’d be fairly intrusive. (There is more work in this direction coming down the pipeline, though, so stay tuned…!)

The hackathon was an opportunity to take on some other tasks that I’d been too busy to get to before. One involved an occasional build failure of apertium-cat, a Catalan dictionary used by apertium (think “Google Translate” in your terminal); the fix involved forcing it to use python’s built-in XML parser rather than the py-xml package, which is no longer actively developed upstream.

Over the week I updated several other packages to newer versions and added a few brand new ones (real-time strategy unknown-horizons, PlayStation Portable emulator ppsspp, and a handful of new languages for apertium to translate). Interspersed throughout were many train rides and walks down quiet city streets.

Come Monday evening it was finally time to head homeward, and while away my time in the airport lounge with ppsspp’s built-in homebrew games.

cavestory_screenshot

Many thanks to Stefan for hosting another wonderful Berlin hackathon, and to the OpenBSD Foundation, other developers, and contributors who make it all possible!

Thanks for the work and the (marked up :) report!

(Comments are closed)


Comments
  1. By Anonymous Coward (71.33.89.31) on

    Thank you very much for the work on the Atheros driver! It seems like every laptop I buy to run OpenBSD has that hardware in it.

  2. By Anonymous Coward (121.113.190.118) on

    Yay! The more pledge the better!

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]