From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Philipp Newsgroups: gmane.emacs.bugs Subject: bug#45198: 28.0.50; Sandbox mode Date: Sat, 17 Apr 2021 17:44:06 +0200 Message-ID: <19511709-E42B-4ABD-9823-39EA08A79B1F@gmail.com> References: <5818DFAA-3A9C-4335-BAAF-1227A02C290A@acm.org> Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\)) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="36050"; mail-complaints-to="usenet@ciao.gmane.io" Cc: =?UTF-8?Q?Jo=C3=A3o_?= =?UTF-8?Q?T=C3=A1vora?= , 45198@debbugs.gnu.org, Stefan Kangas , Stefan Monnier , Alan Third To: Mattias =?UTF-8?Q?Engdeg=C3=A5rd?= Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Sat Apr 17 17:45:18 2021 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lXn8G-0009Ew-P9 for geb-bug-gnu-emacs@m.gmane-mx.org; Sat, 17 Apr 2021 17:45:16 +0200 Original-Received: from localhost ([::1]:46010 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lXn8F-0007X5-So for geb-bug-gnu-emacs@m.gmane-mx.org; Sat, 17 Apr 2021 11:45:15 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:49262) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lXn82-0007VY-B5 for bug-gnu-emacs@gnu.org; Sat, 17 Apr 2021 11:45:02 -0400 Original-Received: from debbugs.gnu.org ([209.51.188.43]:60865) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lXn82-0005DC-3E for bug-gnu-emacs@gnu.org; Sat, 17 Apr 2021 11:45:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lXn82-0003VD-12 for bug-gnu-emacs@gnu.org; Sat, 17 Apr 2021 11:45:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Philipp Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sat, 17 Apr 2021 15:45:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 45198 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: patch Original-Received: via spool by 45198-submit@debbugs.gnu.org id=B45198.161867425713398 (code B ref 45198); Sat, 17 Apr 2021 15:45:01 +0000 Original-Received: (at 45198) by debbugs.gnu.org; 17 Apr 2021 15:44:17 +0000 Original-Received: from localhost ([127.0.0.1]:44178 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lXn7I-0003U2-Lj for submit@debbugs.gnu.org; Sat, 17 Apr 2021 11:44:16 -0400 Original-Received: from mail-ej1-f51.google.com ([209.85.218.51]:38472) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lXn7G-0003To-HZ for 45198@debbugs.gnu.org; Sat, 17 Apr 2021 11:44:15 -0400 Original-Received: by mail-ej1-f51.google.com with SMTP id r12so46446004ejr.5 for <45198@debbugs.gnu.org>; Sat, 17 Apr 2021 08:44:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=c3Ww/tmyGygJ2uwXpdP8pZrpQCLs04DA9W2NNRdfKuY=; b=pyvjne2i6d5nZxrxw8jHves53sGgYKtbcrIfu59zx07AuYvkOVrmUr62aty5Hr06fy JDXa0xKL2ZL8Q2WFIhhJOnjf8X72baHL8DTlBjIotqYxeaLHPjOH5NcsbsR+IMqhO8Ps thWOcel0wmO1k9mtIM3rYXsydiXszudksLHOjsh+dSLtXbTYAZkFA31QLGUh+zPsp0/W +v+BGy3i8FMuRL3mBFn75cPD6NdXb8Y15rwwHXce7QjYjTP2bX9mwDtbij0MzBc+6+Uj VD4eBhZKfLmoZRn3Awf3oKnaCR8RVMm0ovJ4unImMpi+5XhA974Uu7323SLFvffWUtFZ fdVg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=c3Ww/tmyGygJ2uwXpdP8pZrpQCLs04DA9W2NNRdfKuY=; b=n4Cl7mFSN7KEsBbqdr52xkeJ3sXzrzuM7qdIVeG/vPNjVI745ZLkJy+EVYOzgkxWG1 RVaZOOoZ+gT9xAm5Hb4k50sK+pdzNYmE6EzIWXWQ+rvE/KKa+lLTSAj5iv/qbrlrXsRm QU5hXSKEbhj9z8n2i81Syx25uuIVqJWoe7hzKlIIPi2O9d7cjFi9ZRnfVn9Sk6wNmAYD Nt+R+ZHucyu4I+rDiXV1WBqBgt5FYdcvtdltvLcvVpg1+cWf4Lei+f1J918Uin/Uco0/ GUyb5iLo1y3W+LAeEbqLtYg/Nrx6u8fX6oJD86t5tbs+7S0O3AcXwQudf9efuKq/OCPg 8Vkg== X-Gm-Message-State: AOAM533Rw32m9I9PwKd8BO9F2xgF0wpb71+tNfu3qdQG43tQqsbDIPfk 2xArah5SvzAt2MPfj4B6tXs= X-Google-Smtp-Source: ABdhPJzImxuix42EFMXBDjy9Q1imikc4ZWljD/St07SbZgqxSO1UTt78vI6a44JyqWNrTkOueMHKKA== X-Received: by 2002:a17:906:c30d:: with SMTP id s13mr13739882ejz.68.1618674248617; Sat, 17 Apr 2021 08:44:08 -0700 (PDT) Original-Received: from philipps-macbook-pro.fritz.box (p57aafcaa.dip0.t-ipconnect.de. [87.170.252.170]) by smtp.gmail.com with ESMTPSA id d24sm859759ejd.57.2021.04.17.08.44.07 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 17 Apr 2021 08:44:08 -0700 (PDT) In-Reply-To: <5818DFAA-3A9C-4335-BAAF-1227A02C290A@acm.org> X-Mailer: Apple Mail (2.3654.60.0.2.21) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.io gmane.emacs.bugs:204219 Archived-At: > Am 17.04.2021 um 17:26 schrieb Mattias Engdeg=C3=A5rd = : >=20 > Slightly updated patch for macOS. Obviously not nearly as fancy as the = seccomp one but for running something in batch mode that reads from = files and writes to stdout/stderr it should do. >=20 > It works and can be pushed right away but it would be nice to have a = place to use it, for validation and for tuning the interface. Any plans = for that? >=20 I think it would be better to first implement the mechanism and not the = high-level `sandbox-enter' function (I think that one needs a bit more = discussion), and implement the mechanism as a command-line flag. This = would not only be consistent with the Seccomp implementation, but also = be somewhat more conservative in that it wouldn't require the sandboxing = functionality to work in arbitrary running Emacs processes. As we gain = more experience with these sandboxing mechanisms, we can look at = relaxing these restrictions, but I think initially we should be = conservative. > diff --git a/lisp/subr.el b/lisp/subr.el > index c2be26a15f..4994771c33 100644 > --- a/lisp/subr.el > +++ b/lisp/subr.el > @@ -6262,4 +6262,20 @@ internal--format-docstring-line > This is intended for internal use only." > (internal--fill-string-single-line (apply #'format string = objects))) > =20 > +(when (eq system-type 'darwin) > + (defun sandbox-enter (dirs) > + "Enter a sandbox only permitting reading files under DIRS. > +DIRS is a list of directory names. Most other operations such as > +writing files and network access are disallowed. > +Existing open descriptors can still be used freely." > + (darwin-sandbox-init > + (concat "(version 1)\n" > + "(deny default)\n" > + ;; Emacs seems to need /dev/null; allowing it does no = harm. > + "(allow file-read* (path \"/dev/null\"))\n" > + (mapconcat (lambda (dir) > + (format "(allow file-read* (subpath %S))\n" = dir)) > + dirs "")))) > + ) > + > ;;; subr.el ends here I think it would be better to not commit to a high-level interface like = `sandbox-enter' yet. I intentionally held off adding such an interface = in my patch because I think it deserves more discussion about the right = design and interface. > diff --git a/src/sysdep.c b/src/sysdep.c > index d940acc4e0..b6c402ba33 100644 > --- a/src/sysdep.c > +++ b/src/sysdep.c > @@ -4286,8 +4286,33 @@ str_collate (Lisp_Object s1, Lisp_Object s2, > } > #endif /* WINDOWSNT */ > =20 > +#ifdef DARWIN_OS > + > +/* This function prototype is not in the platform header files. */ Is there any documentation you could refer to, even only an unofficial = one? > +int sandbox_init_with_parameters(const char *profile, > + uint64_t flags, > + const char *const parameters[], > + char **errorbuf); > + > +DEFUN ("darwin-sandbox-init", Fdarwin_sandbox_init, = Sdarwin_sandbox_init, > + 1, 1, 0, > + doc: /* Enter a sandbox whose permitted access is curtailed by = PROFILE. I think it would be better to define this as command-line flag, at least = initially. That way, the sandbox can protect code that happens early = on, e.g. the startup code. This needs to somehow document what PROFILE is. > +Already open descriptors can be used freely. */) What does this mean? Emacs doesn't really expose file descriptors to = users. > + (Lisp_Object profile) > +{ > + char *err =3D NULL; > + if (sandbox_init_with_parameters (SSDATA (profile), 0, NULL, &err) = !=3D 0) Missing CHECK_STRING (profile).