{"id":15148747,"url":"https://github.com/andinus/pavo","last_synced_at":"2025-09-29T17:31:59.368Z","repository":{"id":64306655,"uuid":"258525195","full_name":"andinus/pavo","owner":"andinus","description":"Pavo wraps other programs with unveil \u0026 pledge","archived":true,"fork":false,"pushed_at":"2020-10-06T05:08:53.000Z","size":18,"stargazers_count":3,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2024-09-22T20:03:00.902Z","etag":null,"topics":["openbsd","openbsd-pledge","pledge","unveil"],"latest_commit_sha":null,"homepage":"https://andinus.nand.sh/pavo","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"isc","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/andinus.png","metadata":{"files":{"readme":"README.org","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-04-24T13:49:04.000Z","updated_at":"2023-12-26T21:01:17.000Z","dependencies_parsed_at":"2023-01-15T10:45:21.039Z","dependency_job_id":null,"html_url":"https://github.com/andinus/pavo","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/andinus%2Fpavo","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/andinus%2Fpavo/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/andinus%2Fpavo/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/andinus%2Fpavo/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/andinus","download_url":"https://codeload.github.com/andinus/pavo/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":219874662,"owners_count":16554606,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["openbsd","openbsd-pledge","pledge","unveil"],"created_at":"2024-09-26T13:22:30.158Z","updated_at":"2025-09-29T17:31:54.081Z","avatar_url":"https://github.com/andinus.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"#+SETUPFILE: ~/.emacs.d/org-templates/projects.org\n#+EXPORT_FILE_NAME: index\n#+TITLE: Pavo\n\nPavo wraps other programs with /unveil/ \u0026 /pledge/.\n\n*Note*: This is still a work in progress, just the progress is very slow.\nI still think this is a neat idea, will complete this someday.\n\n*Note*: Someone made this \u0026 posted it on =misc@=.\n#+BEGIN_QUOTE\n[ANNOUNCE] pledge(1): an unprivileged sandboxing tool for OpenBSD\nhttps://marc.info/?l=openbsd-misc\u0026m=160070752916257\u0026w=2\n#+END_QUOTE\n\n| Project Home    | [[https://andinus.nand.sh/pavo/][Pavo]]           |\n| Source Code     | [[https://git.tilde.institute/andinus/pavo][Andinus / Pavo]] |\n| GitHub (Mirror) | [[https://github.com/andinus/pavo][Pavo - GitHub]]  |\n\n*Tested on*:\n- OpenBSD 6.6 amd64\n\n*Note*: This program has only been tested to work with /echo/, it fails with\nmany other commands.\n\n* Working\n- Pavo parses the config file\n- Directories \u0026 commands are unveiled\n- Execpromises are added\n- Unveil calls are blocked\n- Command is executed\n* How is it useful?\nLet's take =echo= as an example. =echo='s job is to echo what you pass to\nit. It should never touch your =$HOME/.ssh=, let's say the next =echo=\nupdate is malicious \u0026 it tries to send your =$HOME/.ssh= to the attacker's\nservers. It will be able to do that but not if you wrap it around pavo.\n\n=pavo echo= will parse the config \u0026 force /unveil/ \u0026 /pledge/ on the malicious\n=echo=, it won't be able to read your =$HOME/.ssh= directory if it isn't\npresent in pavo's config. Also uploading the file to the internet will\nkill the program immediately.\n\nThis assumes that pavo's config file is secure in the first place, if it\nisn't then the attacker could simply change it. Also, =echo= is a bad\nexample for this.\n\nLet's take another example. Let's say you want to run a binary\ndownloaded from the internet, you kinda trust that person (you don't) \u0026\nthey say that the binary is a simple ascii game \u0026 will just print to\nterminal, do nothing else. You could wrap this binary around pavo before\nrunning it \u0026 give it limited permissions, like don't unveil anything \u0026\nput only =stdio= in execpromises.\n\nIf that binary tries to do anything apart from =stdio= the program will be\nkilled.\n\n- Pavo's config file should be unwriteable at rest\n- The config file should only be writeable by the user\n* Installation\n** Pre-built binaries\nPre-built binaries are available for OpenBSD (386, amd64, arm, arm64).\n\nExample config file can be [[https://github.com/andinus/pavo/blob/master/configs/pavo.json][downloaded here]].\n*** v0.1.0\nDownload the binaries from [[https://archive.org/details/pavo-v0.1.0][archive.org]]\n\n*Example URL*: =https://archive.org/download/pavo-v0.1.0/pavo-v0.1.0-openbsd-386=\n| Arch  | SHA256                                                           |\n|-------+------------------------------------------------------------------|\n| 386   | 926d6009567fec6c270eea16d380b58f396be6f1d51d513ff0e43286760f4fa9 |\n| amd64 | b0fadad9e0328377b31eb70d369a0e2b91f851310e579abab4023496776798ca |\n| arm   | 0033409f32569c2f59879bb256854b7c6f1043ebf3fe548c7ee4d9b7132839ea |\n| arm64 | b75648c5a3b76d51cad63172ec164eff4974a6a4cca453fe41441d556fa04a07 |\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fandinus%2Fpavo","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fandinus%2Fpavo","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fandinus%2Fpavo/lists"}