{"id":15148676,"url":"https://github.com/seungkang/oki","last_synced_at":"2025-10-24T05:30:25.104Z","repository":{"id":215026422,"uuid":"677614572","full_name":"SeungKang/oki","owner":"SeungKang","description":"oki applies pledge(2) and unveil(2) restrictions to target-program, reducing the blast radius of a security vulnerability in target-program.","archived":false,"fork":false,"pushed_at":"2024-08-31T00:23:13.000Z","size":45,"stargazers_count":6,"open_issues_count":3,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-02-05T17:13:37.119Z","etag":null,"topics":["openbsd","pledge","unveil"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/SeungKang.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-08-12T04:08:39.000Z","updated_at":"2024-10-29T19:15:47.000Z","dependencies_parsed_at":"2024-10-10T02:40:58.187Z","dependency_job_id":"39d4e712-c87c-4cd3-85bb-74a02026a3db","html_url":"https://github.com/SeungKang/oki","commit_stats":{"total_commits":29,"total_committers":1,"mean_commits":29.0,"dds":0.0,"last_synced_commit":"9618315a8b35e82ed0eca9ccac58aa2b9cd8b753"},"previous_names":["seungkang/oki"],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SeungKang%2Foki","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SeungKang%2Foki/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SeungKang%2Foki/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SeungKang%2Foki/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/SeungKang","download_url":"https://codeload.github.com/SeungKang/oki/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":237915423,"owners_count":19386724,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["openbsd","pledge","unveil"],"created_at":"2024-09-26T13:21:38.951Z","updated_at":"2025-10-24T05:30:24.771Z","avatar_url":"https://github.com/SeungKang.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# oki\n\noki applies pledge(2) and unveil(2) restrictions to target-program,\nreducing the blast radius of a security vulnerability in target-program.\n\n## Synopsis\n\n```\noki -R target-program\noki -p \u003cpromise\u003e [options] target-program [target-program-options]\noki -k [options] target-program [target-program-options]\n```\n\n## How does this work?\n\nCalling pledge on a program restricts the set of allowed system calls. Each set\nof permitted system calls is known as a `promise` which can be combined.\nThese promise strings are documented in `man 2 pledge`. If a program executes\na system call that is not permitted by the promises, the kernel immediately\nterminates the program, delivering a core file if possible.\n\noki applies pledge restrictions using pledge's `execpromises` argument.\nThis allows oki to apply pledge only to a newly executed process and not the\ncurrent process. The user specifies promises using `-p promise`.\n\nCalling unveil on a program removes visibility of the entire filesystem, except\nfor the specified path and permissions. Additional calls can set permissions at\nother points in the filesystem hierarchy. When applied to a directory,\nthe permissions will apply to any file in the subtree of that directory.\n\noki unveils paths by calling unveil for each `-u permission:path` specified by\nthe user. When oki executes the target-program, unveil restrictions are\nautomatically inherited by the target-program. By default, oki automatically\nunveils the target-program executable specified by the user.\n\n## Features\n\n- Applies specified promise strings to the `pledge(2)` system call on the\n  target-program.\n- Applies specified filepath and permissions to the `unveil(2)` system call on\n  the target-program.\n- Filters only HOME and PATH environment variables to the target-program.\n- Optionally pass specific environment variables to the target-program.\n- Autogenerate unveil rules for the imported libraries of the target-program\n  and write the rules to standard out. This helps with writing scripts that\n  call oki on the target-program.\n\n## Requirements\n\n- An OpenBSD system\n- Go (Golang)\n\n## Installation\n\nThe preferred method of installation is using `go install` (as this is\na Golang application). This automates downloading and building Go\napplications from source in a secure manner. By default, applications\nare copied into `~/go/bin/`.\n\nYou must first [install Go](https://golang.org/doc/install). If you are\ncompiling the application on OpenBSD, you can install Go by executing:\n\n```sh\ndoas pkg_add go\n```\n\nAfter installing Go, run the following commands to install the application:\n\n```sh\ngo install github.com/SeungKang/oki@latest\ndoas cp ~/go/bin/oki /usr/local/bin/\n```\n\n## Examples\n\n### The following example generates unveil rules for rizin's libraries:\n\n```console\n$ oki -R /usr/local/bin/rizin\n-u 'r:/usr/local/lib/librz_util.so.0.7' \\\n-u 'r:/usr/lib/libm.so.10.1' \\\n-u 'r:/usr/lib/libutil.so.16.0' \\\n(...)\n```\n\n### The following example runs oki on the git program:\n\n```console\n$ oki -p \"stdio\" -p \"inet\" -p + \"error\" -u \"r:/tmp\" -u \"rc:/foo\" -- git\n```\n\nThe above example enforces the `pledge(2)` promises: \"stdio\", \"inet\",\nand \"error\". It also runs `unveil(2)` on the following paths:\n- `/tmp` for read `r` operations\n- `/foo` for read `r` and create/remove `c` operations\n\n## Troubleshooting\n\nThe `-d` option enables debug mode, which will log the pledge promise strings,\nunveil rules, and environment variables applied to the target-program.\nPledge violations are logged in `/var/log/messages`.\n\n## Special Thanks\n\nA mega thank you to [Stephan Fox](https://github.com/stephen-fox), \nhe's the best :). Stephan played a significant role in assisting me with this \nproject and discussions on its functionality. I'm eternally grateful for his \nsupport, encouragement, patience, and guidance through this project. Can't \nwait to do more.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fseungkang%2Foki","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fseungkang%2Foki","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fseungkang%2Foki/lists"}