From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: Mattias =?UTF-8?Q?Engdeg=C3=A5rd?= <mattiase@acm.org>
Newsgroups: gmane.emacs.bugs
Subject: bug#45198: 28.0.50; Sandbox mode
Date: Fri, 17 Sep 2021 21:49:39 +0200
Message-ID: <8355EDD1-FF78-43B1-8F96-4EB3316E8FEB@acm.org>
References: <DCB89188-A9D5-4A64-8DD2-BE1DD8A2B202@acm.org>
 <jwvfsu3732l.fsf-monnier+emacs@gnu.org>
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
Content-Type: multipart/mixed;
 boundary="Apple-Mail=_E7692CE5-7A32-4E92-BD0A-A145CC42C55F"
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="7893"; mail-complaints-to="usenet@ciao.gmane.io"
Cc: Alan Third <alan@idiocy.org>, 45198@debbugs.gnu.org,
 Stefan Kangas <stefan@marxist.se>, Philipp <p.stephani2@gmail.com>,
 =?UTF-8?Q?Jo=C3=A3o_?= =?UTF-8?Q?T=C3=A1vora?= <joaotavora@gmail.com>
To: Stefan Monnier <monnier@iro.umontreal.ca>
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Fri Sep 17 21:50:14 2021
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>)
	id 1mRJsE-0001oz-9u
	for geb-bug-gnu-emacs@m.gmane-mx.org; Fri, 17 Sep 2021 21:50:14 +0200
Original-Received: from localhost ([::1]:39674 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>)
	id 1mRJsC-00032N-JX
	for geb-bug-gnu-emacs@m.gmane-mx.org; Fri, 17 Sep 2021 15:50:12 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:52122)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1mRJs2-000327-Qw
 for bug-gnu-emacs@gnu.org; Fri, 17 Sep 2021 15:50:02 -0400
Original-Received: from debbugs.gnu.org ([209.51.188.43]:49741)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1mRJs2-0006hU-JB
 for bug-gnu-emacs@gnu.org; Fri, 17 Sep 2021 15:50:02 -0400
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1mRJs2-0003BQ-EQ
 for bug-gnu-emacs@gnu.org; Fri, 17 Sep 2021 15:50:02 -0400
X-Loop: help-debbugs@gnu.org
Resent-From: Mattias =?UTF-8?Q?Engdeg=C3=A5rd?= <mattiase@acm.org>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Fri, 17 Sep 2021 19:50:02 +0000
Resent-Message-ID: <handler.45198.B45198.163190819712222@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 45198
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: patch
Original-Received: via spool by 45198-submit@debbugs.gnu.org id=B45198.163190819712222
 (code B ref 45198); Fri, 17 Sep 2021 19:50:02 +0000
Original-Received: (at 45198) by debbugs.gnu.org; 17 Sep 2021 19:49:57 +0000
Original-Received: from localhost ([127.0.0.1]:33054 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1mRJrx-0003B4-G9
 for submit@debbugs.gnu.org; Fri, 17 Sep 2021 15:49:57 -0400
Original-Received: from mail1449c50.megamailservers.eu ([91.136.14.49]:56108
 helo=mail265c50.megamailservers.eu)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mattiase@acm.org>) id 1mRJrs-0003Ak-5I
 for 45198@debbugs.gnu.org; Fri, 17 Sep 2021 15:49:55 -0400
X-Authenticated-User: mattiase@bredband.net
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=megamailservers.eu;
 s=maildub; t=1631908184;
 bh=fEzvJxKTeOE8t5f2hV775ozI3pqxTvzV2aj3dXAlmvk=;
 h=From:Subject:Date:In-Reply-To:Cc:To:References:From;
 b=Tb3PqEzXIZ5bIXPVRfQTEc/2+E72baAXpCHwb3u6gc1agdQH+gWOQCB8zLfGVGZn1
 ghmI8lG+oMyHGPfIQIpgIXBj+5MqIP3LQ5P/ANNFmTUrJLljHn80XyVibyK8m8TUZj
 jj2cdTNhZmdIDodMvmh5Pomn+0UxTksfwSTVfIQE=
Feedback-ID: mattiase@acm.or
Original-Received: from [192.168.0.4] (c188-150-171-71.bredband.tele2.se
 [188.150.171.71]) (authenticated bits=0)
 by mail265c50.megamailservers.eu (8.14.9/8.13.1) with ESMTP id 18HJnevZ019213; 
 Fri, 17 Sep 2021 19:49:42 +0000
In-Reply-To: <jwvfsu3732l.fsf-monnier+emacs@gnu.org>
X-Mailer: Apple Mail (2.3445.104.21)
X-CTCH-RefID: str=0001.0A742F22.6144F158.006A, ss=1, re=0.000, recu=0.000,
 reip=0.000, cl=1, cld=1, fgs=0
X-CTCH-VOD: Unknown
X-CTCH-Spam: Unknown
X-CTCH-Score: 0.000
X-CTCH-Flags: 0
X-CTCH-ScoreCust: 0.000
X-CSC: 0
X-CHA: v=2.4 cv=adICITkt c=1 sm=1 tr=0 ts=6144f158
 a=SF+I6pRkHZhrawxbOkkvaA==:117 a=SF+I6pRkHZhrawxbOkkvaA==:17
 a=M51BFTxLslgA:10 a=iRZporoAAAAA:8 a=wuWo1mPVt09aIbERY5QA:9
 a=CjuIK1q_8ugA:10 a=2i1jUgeGfihAGWfHL1kA:9 a=B2y7HmGcmWMA:10
 a=7yj0kKAPgQKSsoQ_J6wA:9 a=NOBgFS-JBQ2l-kSd6-zu:22
X-Origin-Country: SE
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
 the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org
Original-Sender: "bug-gnu-emacs"
 <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>
Xref: news.gmane.io gmane.emacs.bugs:214583
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/214583>


--Apple-Mail=_E7692CE5-7A32-4E92-BD0A-A145CC42C55F
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

17 sep. 2021 kl. 15.20 skrev Stefan Monnier <monnier@iro.umontreal.ca>:

> For `elpa-admin.el` we need a writable directory as well.
> We also need the ability to run sub-processes.  Your `bwrap`
> implementation for GNU/Linux should allow that, AFAICT, but I can't =
tell
> if `darwin-sandbox-enter` also allows it.

Looks like it can be made to work.

Of course this whole exercise doesn't really touch the questions that =
really matter, such as whether it is practical for actual use.


--Apple-Mail=_E7692CE5-7A32-4E92-BD0A-A145CC42C55F
Content-Disposition: attachment;
	filename=0001-Add-macOS-sandboxing-bug-45198.patch
Content-Type: application/octet-stream;
	x-unix-mode=0644;
	name="0001-Add-macOS-sandboxing-bug-45198.patch"
Content-Transfer-Encoding: quoted-printable

=46rom=2003233ad9abb0c18bdbd00eb2cad42db8a252cafe=20Mon=20Sep=2017=20=
00:00:00=202001=0AFrom:=20=3D?UTF-8?q?Mattias=3D20Engdeg=3DC3=3DA5rd?=3D=20=
<mattiase@acm.org>=0ADate:=20Sat,=2017=20Apr=202021=2020:53:39=20+0200=0A=
Subject:=20[PATCH=201/2]=20Add=20macOS=20sandboxing=20(bug#45198)=0A=0A=
This=20is=20the=20corresponding=20low-level=20sandboxing=20facility=20=
corresponding=0Ato=20the=20recently=20added=20Seccomp=20for=20Linux.=20=20=
`darwin-sandbox-init`=20gives=0Adirect=20access=20to=20the=20system=20=
sandboxing=20call;=20`darwin--sandbox-enter`=0Ais=20a=20wrapper=20that=20=
takes=20a=20plist=20specifying=20directories=20under=20which=0Afiles=20=
can=20be=20read,=20written=20or=20executed.=20=20These=20should=20be=20=
considered=0Ainternal=20mechanisms=20for=20now.=0A=0A*=20=
lisp/darwin-fns.el:=20New=20file.=0A*=20lisp/loadup.el:=20Load=20it.=0A*=20=
src/sysdep.c=20(Fdarwin_sandbox_init):=20New=20function.=0A*=20=
test/lisp/darwin-fns-tests.el:=20New=20file.=0A---=0A=20=
lisp/darwin-fns.el=20=20=20=20=20=20=20=20=20=20=20=20|=2056=20=
+++++++++++++++++++++=0A=20lisp/loadup.el=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20|=20=202=20+=0A=20src/sysdep.c=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20|=2034=20+++++++++++++=0A=20=
test/lisp/darwin-fns-tests.el=20|=2091=20=
+++++++++++++++++++++++++++++++++++=0A=204=20files=20changed,=20183=20=
insertions(+)=0A=20create=20mode=20100644=20lisp/darwin-fns.el=0A=20=
create=20mode=20100644=20test/lisp/darwin-fns-tests.el=0A=0Adiff=20--git=20=
a/lisp/darwin-fns.el=20b/lisp/darwin-fns.el=0Anew=20file=20mode=20100644=0A=
index=200000000000..feba9739b5=0A---=20/dev/null=0A+++=20=
b/lisp/darwin-fns.el=0A@@=20-0,0=20+1,56=20@@=0A+;;;=20darwin-fns.el=20=
---=20Darwin-specific=20functions=20=20-*-=20lexical-binding:=20t=20-*-=0A=
+=0A+;;=20Copyright=20(C)=202021=20Free=20Software=20Foundation,=20Inc.=0A=
+=0A+;;=20This=20file=20is=20part=20of=20GNU=20Emacs.=0A+=0A+;;=20GNU=20=
Emacs=20is=20free=20software:=20you=20can=20redistribute=20it=20and/or=20=
modify=0A+;;=20it=20under=20the=20terms=20of=20the=20GNU=20General=20=
Public=20License=20as=20published=20by=0A+;;=20the=20Free=20Software=20=
Foundation,=20either=20version=203=20of=20the=20License,=20or=0A+;;=20=
(at=20your=20option)=20any=20later=20version.=0A+=0A+;;=20GNU=20Emacs=20=
is=20distributed=20in=20the=20hope=20that=20it=20will=20be=20useful,=0A=
+;;=20but=20WITHOUT=20ANY=20WARRANTY;=20without=20even=20the=20implied=20=
warranty=20of=0A+;;=20MERCHANTABILITY=20or=20FITNESS=20FOR=20A=20=
PARTICULAR=20PURPOSE.=20=20See=20the=0A+;;=20GNU=20General=20Public=20=
License=20for=20more=20details.=0A+=0A+;;=20You=20should=20have=20=
received=20a=20copy=20of=20the=20GNU=20General=20Public=20License=0A+;;=20=
along=20with=20GNU=20Emacs.=20=20If=20not,=20see=20=
<https://www.gnu.org/licenses/>.=0A+=0A+;;;=20Code:=0A+=0A+(defun=20=
darwin--sandbox-enter=20(spec)=0A+=20=20"Enter=20a=20sandbox=20only=20=
permitting=20actions=20described=20by=20SPEC.=0A+SPEC=20is=20a=20plist=20=
allowing=20the=20keys:=0A+`:read-dirs'=20=20--=20value=20is=20a=20list=20=
of=20directories=20in=20which=20reading=20is=20allowed.=0A+`:write-dirs'=20=
--=20value=20is=20a=20list=20of=20directories=20in=20which=20writing=20=
is=20allowed.=0A+`:exec-dirs'=20=20--=20value=20is=20a=20list=20of=20=
directories=20from=20which=20executables=0A+=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20can=20be=20run=20as=20subprocesses.=0A+Most=20other=20=
operations=20such=20as=20network=20access=20are=20disallowed.=0A=
+Existing=20open=20descriptors=20can=20still=20be=20used=20freely.=0A+=0A=
+This=20is=20not=20a=20supported=20interface=20and=20is=20for=20internal=20=
use=20only."=0A+=20=20(let=20((read-dirs=20(plist-get=20spec=20=
:read-dirs))=0A+=20=20=20=20=20=20=20=20(write-dirs=20(plist-get=20spec=20=
:write-dirs))=0A+=20=20=20=20=20=20=20=20(exec-dirs=20(plist-get=20spec=20=
:exec-dirs)))=0A+=20=20=20=20(darwin-sandbox-init=0A+=20=20=20=20=20=
(concat=0A+=20=20=20=20=20=20"(version=201)\n"=0A+=20=20=20=20=20=20=
"(deny=20default)\n"=0A+=20=20=20=20=20=20;;=20Emacs=20seems=20to=20need=20=
/dev/null;=20allowing=20it=20does=20no=20harm.=0A+=20=20=20=20=20=20=
"(allow=20file-read*=20(path=20\"/dev/null\"))\n"=0A+=20=20=20=20=20=20=
(mapconcat=20(lambda=20(dir)=0A+=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20(format=20"(allow=20file-read*=20(subpath=20%S))\n"=20=
dir))=0A+=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20read-dirs=20=
"")=0A+=20=20=20=20=20=20(mapconcat=20(lambda=20(dir)=0A+=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20(format=20"(allow=20file-write*=20=
(subpath=20%S))\n"=20dir))=0A+=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20write-dirs=20"")=0A+=20=20=20=20=20=20(mapconcat=20(lambda=20(dir)=0A=
+=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20(format=20=
"(allow=20process-exec=20(subpath=20%S))\n"=20dir))=0A+=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20exec-dirs=20"")=0A+=20=20=20=20=20=20=
(and=20exec-dirs=0A+=20=20=20=20=20=20=20=20=20=20=20"(allow=20=
process-fork)\n")))))=0A+=0A+(provide=20'darwin-fns)=0A+=0A+;;;=20=
darwin-fns.el=20ends=20here=0Adiff=20--git=20a/lisp/loadup.el=20=
b/lisp/loadup.el=0Aindex=20158c02ecea..163b639640=20100644=0A---=20=
a/lisp/loadup.el=0A+++=20b/lisp/loadup.el=0A@@=20-325,6=20+325,8=20@@=0A=20=
=20=20=20=20=20=20(load=20"term/pc-win")=0A=20=20=20=20=20=20=20(load=20=
"ls-lisp")=0A=20=20=20=20=20=20=20(load=20"disp-table")))=20;=20needed=20=
to=20setup=20ibm-pc=20char=20set,=20see=20internal.el=0A+(if=20(eq=20=
system-type=20'darwin)=0A+=20=20=20=20(load=20"darwin-fns"))=0A=20(if=20=
(featurep=20'ns)=0A=20=20=20=20=20(progn=0A=20=20=20=20=20=20=20(load=20=
"term/common-win")=0Adiff=20--git=20a/src/sysdep.c=20b/src/sysdep.c=0A=
index=208eaee22498..79a1fad4da=20100644=0A---=20a/src/sysdep.c=0A+++=20=
b/src/sysdep.c=0A@@=20-4458,8=20+4458,42=20@@=20str_collate=20=
(Lisp_Object=20s1,=20Lisp_Object=20s2,=0A=20}=0A=20#endif=09/*=20=
WINDOWSNT=20*/=0A=20=0A+#ifdef=20DARWIN_OS=0A+=0A+/*=20This=20function=20=
prototype=20is=20not=20in=20the=20platform=20header=20files.=0A+=20=20=20=
See=20=
https://reverse.put.as/wp-content/uploads/2011/09/Apple-Sandbox-Guide-v1.0=
.pdf=0A+=20=20=20and=20=
https://chromium.googlesource.com/chromium/src/+/master/sandbox/mac/seatbe=
lt_sandbox_design.md=20*/=0A+int=20sandbox_init_with_parameters(const=20=
char=20*profile,=0A+=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20uint64_t=20flags,=0A+=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20const=20char=20*const=20parameters[],=0A+=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20char=20**errorbuf);=0A+=0A+DEFUN=20("darwin-sandbox-init",=20=
Fdarwin_sandbox_init,=20Sdarwin_sandbox_init,=0A+=20=20=20=20=20=20=201,=20=
1,=200,=0A+=20=20=20=20=20=20=20doc:=20/*=20Enter=20a=20sandbox=20whose=20=
permitted=20access=20is=20curtailed=20by=20PROFILE.=0A+Already=20open=20=
descriptors=20can=20be=20used=20freely.=0A+PROFILE=20is=20a=20string=20=
in=20the=20macOS=20sandbox=20profile=20language,=0A+a=20set=20of=20rules=20=
in=20a=20Lisp-like=20syntax.=0A+=0A+This=20is=20not=20a=20supported=20=
interface=20and=20is=20for=20internal=20use=20only.=20*/)=0A+=20=20=
(Lisp_Object=20profile)=0A+{=0A+=20=20CHECK_STRING=20(profile);=0A+=20=20=
if=20(memchr=20(SSDATA=20(profile),=20'\0',=20SBYTES=20(profile)))=0A+=20=
=20=20=20error=20("NUL=20in=20sandbox=20profile");=0A+=20=20char=20*err=20=
=3D=20NULL;=0A+=20=20if=20(sandbox_init_with_parameters=20(SSDATA=20=
(profile),=200,=20NULL,=20&err)=20!=3D=200)=0A+=20=20=20=20error=20=
("sandbox=20error:=20%s",=20err);=0A+=20=20return=20Qnil;=0A+}=0A+=0A=
+#endif=09/*=20DARWIN_OS=20*/=0A+=0A=20void=0A=20syms_of_sysdep=20(void)=0A=
=20{=0A=20=20=20defsubr=20(&Sget_internal_run_time);=0A+#ifdef=20=
DARWIN_OS=0A+=20=20defsubr=20(&Sdarwin_sandbox_init);=0A+#endif=0A=20}=0A=
diff=20--git=20a/test/lisp/darwin-fns-tests.el=20=
b/test/lisp/darwin-fns-tests.el=0Anew=20file=20mode=20100644=0Aindex=20=
0000000000..fa0d58ac3d=0A---=20/dev/null=0A+++=20=
b/test/lisp/darwin-fns-tests.el=0A@@=20-0,0=20+1,91=20@@=0A+;;;=20=
darwin-fns-tests.el=20---=20tests=20for=20darwin-fns.el=20=20-*-=20=
lexical-binding:=20t=20-*-=0A+=0A+;;=20Copyright=20(C)=202021=20=20Free=20=
Software=20Foundation,=20Inc.=0A+=0A+;;=20This=20file=20is=20part=20of=20=
GNU=20Emacs.=0A+=0A+;;=20GNU=20Emacs=20is=20free=20software:=20you=20can=20=
redistribute=20it=20and/or=20modify=0A+;;=20it=20under=20the=20terms=20=
of=20the=20GNU=20General=20Public=20License=20as=20published=0A+;;=20by=20=
the=20Free=20Software=20Foundation,=20either=20version=203=20of=20the=20=
License,=0A+;;=20or=20(at=20your=20option)=20any=20later=20version.=0A+=0A=
+;;=20GNU=20Emacs=20is=20distributed=20in=20the=20hope=20that=20it=20=
will=20be=20useful,=20but=0A+;;=20WITHOUT=20ANY=20WARRANTY;=20without=20=
even=20the=20implied=20warranty=20of=0A+;;=20MERCHANTABILITY=20or=20=
FITNESS=20FOR=20A=20PARTICULAR=20PURPOSE.=20=20See=20the=20GNU=0A+;;=20=
General=20Public=20License=20for=20more=20details.=0A+=0A+;;=20You=20=
should=20have=20received=20a=20copy=20of=20the=20GNU=20General=20Public=20=
License=0A+;;=20along=20with=20GNU=20Emacs.=20=20If=20not,=20see=20=
<https://www.gnu.org/licenses/>.=0A+=0A+(require=20'ert)=0A+=0A+(defun=20=
darwin-fns-tests--run-emacs=20(expr1=20expr2)=0A+=20=20"Run=20Emacs=20in=20=
batch=20mode=20and=20evaluate=20EXPR1=20and=20EXPR2.=0A+Return=20=
(EXIT-STATUS=20.=20OUTPUT),=20where=20OUTPUT=20is=20stderr=20and=20=
stdout."=0A+=20=20(let=20((emacs=20(expand-file-name=20invocation-name=20=
invocation-directory))=0A+=20=20=20=20=20=20=20=20(process-environment=20=
nil))=0A+=20=20=20=20(with-temp-buffer=0A+=20=20=20=20=20=20(let=20((res=20=
(call-process=20emacs=20nil=20t=20nil=0A+=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20"--quick"=20=
"--batch"=0A+=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20(format=20"--eval=3D%S"=20expr1)=0A+=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20(format=20"--eval=3D%S"=20expr2))))=0A+=20=20=20=20=20=20=20=20=
(cons=20res=20(buffer-string))))))=0A+=0A+(ert-deftest=20=
darwin-fns-sandbox=20()=0A+=20=20(skip-unless=20(eq=20system-type=20=
'darwin))=0A+=20=20;;=20Test=20file=20reading=20and=20writing=20under=20=
various=20sandboxing=20conditions.=0A+=20=20(let*=20((some-text=20=
"abcdef")=0A+=20=20=20=20=20=20=20=20=20(new-text=20"ghijkl")=0A+=20=20=20=
=20=20=20=20=20=20(test-file=20(file-truename=20(make-temp-file=20=
"test")))=0A+=20=20=20=20=20=20=20=20=20(file-dir=20(file-name-directory=20=
test-file)))=0A+=20=20=20=20(unwind-protect=0A+=20=20=20=20=20=20=20=20=
(dolist=20(mode=20'(read=20write))=0A+=20=20=20=20=20=20=20=20=20=20=
(ert-info=20((symbol-name=20mode)=20:prefix=20"mode:=20")=0A+=20=20=20=20=
=20=20=20=20=20=20=20=20(dolist=20(sandbox=20'(allow-all=20deny-all=20=
allow-read))=0A+=20=20=20=20=20=20=20=20=20=20=20=20=20=20(ert-info=20=
((symbol-name=20sandbox)=20:prefix=20"sandbox:=20")=0A+=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20;;=20Prepare=20initial=20file=20contents.=0A=
+=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20(with-temp-buffer=0A+=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20(insert=20some-text)=0A=
+=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20(write-file=20=
test-file))=0A+=0A+=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20(let*=20=
((sandbox-form=0A+=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20(pcase-exhaustive=20sandbox=0A+=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20('allow-all=20nil)=0A=
+=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20('deny-all=20'(darwin--sandbox-enter=20nil))=0A+=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20('allow-read=20=
`(darwin--sandbox-enter=0A+=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
'(:read-dirs=20(,file-dir))))))=0A+=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20(action-form=0A+=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20(pcase-exhaustive=20mode=0A=
+=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20('read=20`(progn=20(find-file-literally=20,test-file)=0A+=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20(message=20"OK:=20%s"=20=
(buffer-string))))=0A+=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20('write=20`(with-temp-buffer=0A+=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20(insert=20,new-text)=0A+=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20(write-file=20,test-file)))))=0A+=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20(allowed=20(or=20(eq=20sandbox=20=
'allow-all)=0A+=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20(and=20(eq=20sandbox=20=
'allow-read)=0A+=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20(eq=20=
mode=20'read))))=0A+=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20(res-out=20(darwin-fns-tests--run-emacs=0A+=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20sandbox-form=20action-form))=0A+=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20(exit-status=20(car=20res-out))=0A+=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
(output=20(cdr=20res-out))=0A+=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20(file-contents=0A+=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20(with-temp-buffer=0A+=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
(insert-file-contents-literally=20test-file)=0A+=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20(buffer-string))))=0A=
+=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20(if=20allowed=0A+=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20(should=20=
(equal=20exit-status=200))=0A+=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20(should-not=20(equal=20exit-status=200)))=0A+=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20(when=20(eq=20mode=20'read)=0A+=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20(if=20allowed=0A=
+=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
(should=20(equal=20output=20(format=20"OK:=20%s\n"=20some-text)))=0A+=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20(should-not=20=
(string-search=20some-text=20output))))=0A+=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20(should=20(equal=20file-contents=0A+=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20(if=20(and=20(eq=20mode=20'write)=20allowed)=0A+=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20new-text=0A+=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
some-text))))))))=0A+=0A+=20=20=20=20=20=20;;=20Clean=20up.=0A+=20=20=20=20=
=20=20(ignore-errors=20(delete-file=20test-file)))))=0A+=0A+=0A+(provide=20=
'darwin-fns-tests)=0A--=20=0A2.21.1=20(Apple=20Git-122.3)=0A=0A=

--Apple-Mail=_E7692CE5-7A32-4E92-BD0A-A145CC42C55F
Content-Disposition: attachment;
	filename=0002-platform-independent-sandbox-interface.patch
Content-Type: application/octet-stream;
	x-unix-mode=0644;
	name="0002-platform-independent-sandbox-interface.patch"
Content-Transfer-Encoding: quoted-printable

=46rom=20aa7780d2a40cf1da60ae236e9468cea9c36a8350=20Mon=20Sep=2017=20=
00:00:00=202001=0AFrom:=20=3D?UTF-8?q?Mattias=3D20Engdeg=3DC3=3DA5rd?=3D=20=
<mattiase@acm.org>=0ADate:=20Fri,=2017=20Sep=202021=2009:30:53=20+0200=0A=
Subject:=20[PATCH=202/2]=20platform-independent=20sandbox=20interface=0A=0A=
---=0A=20lisp/sandbox.el=20|=2091=20=
+++++++++++++++++++++++++++++++++++++++++++++++++=0A=201=20file=20=
changed,=2091=20insertions(+)=0A=20create=20mode=20100644=20=
lisp/sandbox.el=0A=0Adiff=20--git=20a/lisp/sandbox.el=20=
b/lisp/sandbox.el=0Anew=20file=20mode=20100644=0Aindex=20=
0000000000..589d25615a=0A---=20/dev/null=0A+++=20b/lisp/sandbox.el=0A@@=20=
-0,0=20+1,91=20@@=0A+;;;=20-*-=20lexical-binding:=20t=20-*-=0A+=0A=
+(require=20'cl-lib)=0A+=0A+(defconst=20sandbox-mechanism=0A+=20=20;;=20=
FIXME:=20make=20it=20a=20defcustom?=20What=20about=20other=20systems?=0A=
+=20=20(cond=20((eq=20system-type=20'darwin)=20'darwin)=0A+=20=20=20=20=20=
=20=20=20((eq=20system-type=20'gnu/linux)=20'bwrap)))=0A+=0A+(defun=20=
sandbox-available-p=20()=0A+=20=20"Non-nil=20if=20a=20sandboxing=20=
mechanism=20is=20available."=0A+=20=20;;=20FIXME:=20We=20should=20check=20=
for=20availability=20of=20bwrap=20etc.=0A+=20=20(not=20(null=20=
sandbox-mechanism)))=0A+=0A+(defun=20sandbox--program-args=20=
(sandbox-spec=20prog)=0A+=20=20"Return=20(PROGRAM=20.=20ARGS)=20for=20=
running=20PROG=20according=20to=20SANDBOX-SPEC."=0A+=20=20=
(pcase-exhaustive=20sandbox-mechanism=0A+=20=20=20=20('darwin=0A+=20=20=20=
=20=20(list=20prog=20"--eval"=0A+=20=20=20=20=20=20=20=20=20=20=20=
(prin1-to-string=20`(darwin--sandbox-enter=20',sandbox-spec))))=0A+=20=20=
=20=20('bwrap=0A+=20=20=20=20=20;;=20FIXME:=20with=20seccomp?=0A+=20=20=20=
=20=20(let*=20((read-dirs=20(plist-get=20sandbox-spec=20:read-dirs))=0A+=20=
=20=20=20=20=20=20=20=20=20=20=20(write-dirs=20(plist-get=20sandbox-spec=20=
:write-dirs))=0A+=20=20=20=20=20=20=20=20=20=20=20=20(exec-dirs=20=
(plist-get=20sandbox-spec=20:exec-dirs))=0A+=20=20=20=20=20=20=20=20=20=20=
=20=20(ro-dirs=20(cl-set-difference=0A+=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20(cl-union=20read-dirs=20exec-dirs=20:test=20=
#'equal)=0A+=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20write-dirs=20:test=20#'equal)))=0A+=20=20=20=20=20=20=20`("bwrap"=0A+=20=
=20=20=20=20=20=20=20=20"--unshare-all"=0A+=20=20=20=20=20=20=20=20=20=
"--dev"=20"/dev"=0A+=20=20=20=20=20=20=20=20=20"--proc"=20"/proc"=0A+=20=20=
=20=20=20=20=20=20=20"--tmpfs"=20"/tmp"=0A+=20=20=20=20=20=20=20=20=20=
,@(mapcan=20(lambda=20(dir)=20(let=20((d=20(expand-file-name=20dir)))=0A=
+=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20(list=20"--ro-bind"=20d=20d)))=0A+=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20ro-dirs)=0A+=20=20=20=20=
=20=20=20=20=20,@(mapcan=20(lambda=20(dir)=20(let=20((d=20=
(expand-file-name=20dir)))=0A+=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20(list=20=
"--bind"=20d=20d)))=0A+=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20write-dirs)=0A+=20=20=20=20=20=20=20=20=20,prog)))))=0A+=0A+(defun=20=
sandbox--emacs-command=20(sandbox-spec=20args)=0A+=20=20"Command=20and=20=
arguments=20for=20running=20Emacs=20with=20SANDBOX-SPEC=20and=20ARGS."=0A=
+=20=20(let*=20((emacs=20(expand-file-name=20invocation-name=20=
invocation-directory))=0A+=20=20=20=20=20=20=20=20=20(program-args=20=
(sandbox--program-args=20sandbox-spec=20emacs)))=0A+=20=20=20=20=
`(,@program-args=20"--batch"=20,@args)))=0A+=0A+(defun=20=
sandbox-run-emacs=20(sandbox-spec=20destination=20args)=0A+=20=20"Run=20=
sandboxed=20Emacs=20in=20batch=20mode,=20synchronously.=0A+SANDBOX-SPEC=20=
is=20a=20sandbox=20specification=20plist.=20=20Currently=20defined=20=
key:=0A+=20`:read-dirs'=20=20--=20the=20value=20is=20a=20list=20of=20=
directories=20that=20can=20be=20read=20from.=0A+=20`:write-dirs'=20--=20=
the=20value=20is=20a=20list=20of=20directories=20that=20can=20be=20=
written=20to.=0A+=20`:exec-dirs'=20=20--=20the=20value=20is=20a=20list=20=
of=20directories=20from=20which=0A+=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20executables=20can=20be=20run=20as=20subprocesses.=0A=
+DESTINATION=20is=20as=20in=20`call-process'.=0A+ARGS=20is=20a=20list=20=
of=20command-line=20arguments=20passed=20to=20the=20sandboxed=20Emacs.=0A=
+Return=20value=20is=20as=20in=20`call-process'.=0A+=0A+Depending=20on=20=
the=20platform,=20the=20sandbox=20restrictions=20do=20not=20necessarily=0A=
+take=20effect=20until=20Emacs=20has=20been=20initialised=20and=20loaded=20=
the=20site=20and=20user=0A+init=20files.=20=20If=20that=20is=20not=20=
desirable,=20suppress=20their=20use=20by=20adding=20the=0A+corresponding=20=
flags=20(eg=20\"-Q\")=20to=20ARGS."=0A+=20=20(let=20((command=20=
(sandbox--emacs-command=20sandbox-spec=20args)))=0A+=20=20=20=20(apply=20=
#'call-process=20(car=20command)=20nil=20destination=20nil=20(cdr=20=
command))))=0A+=0A+(defun=20sandbox-start-emacs=20(sandbox-spec=20params=20=
args)=0A+=20=20"Run=20sandboxed=20Emacs=20in=20batch=20mode,=20=
asynchronously.=0A+SANDBOX-SPEC=20is=20a=20sandbox=20specification=20=
plist.=20=20Currently=20defined=20key:=0A+=20`:read-dirs'=20=20--=20the=20=
value=20is=20a=20list=20of=20directories=20that=20can=20be=20read=20=
from.=0A+=20`:write-dirs'=20--=20the=20value=20is=20a=20list=20of=20=
directories=20that=20can=20be=20written=20to.=0A+=20`:exec-dirs'=20=20--=20=
the=20value=20is=20a=20list=20of=20directories=20from=20which=0A+=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20executables=20can=20be=20=
run=20as=20subprocesses.=0A+ARGS=20is=20a=20list=20of=20command-line=20=
arguments=20passed=20to=20the=20sandboxed=20Emacs.=0A+PARAMS=20is=20a=20=
plist=20of=20parameters=20passed=20to=20`make-process'.=20=20Do=20not=0A=
+=20=20supply=20`:command';=20it=20will=20be=20overridden=20by=20ARGS.=0A=
+Return=20value=20is=20as=20in=20`make-process'.=0A+=0A+Depending=20on=20=
the=20platform,=20the=20sandbox=20restrictions=20do=20not=20necessarily=0A=
+take=20effect=20until=20Emacs=20has=20been=20initialised=20and=20loaded=20=
the=20site=20and=20user=0A+init=20files.=20=20If=20that=20is=20not=20=
desirable,=20suppress=20their=20use=20by=20adding=20the=0A+corresponding=20=
flags=20(eg=20\"-Q\")=20to=20ARGS."=0A+=20=20(let*=20((command=20=
(sandbox--emacs-command=20sandbox-spec=20args))=0A+=20=20=20=20=20=20=20=20=
=20(params=20(copy-sequence=20params))=0A+=20=20=20=20=20=20=20=20=20=
(params=20(plist-put=20params=20:command=20command)))=0A+=20=20=20=20=
(unless=20(plist-member=20params=20:name)=0A+=20=20=20=20=20=20(setq=20=
params=20(plist-put=20params=20:name=20"emacs")))=0A+=20=20=20=20(unless=20=
(plist-member=20params=20:connection-type)=0A+=20=20=20=20=20=20(setq=20=
params=20(plist-put=20params=20:connection-type=20'pipe)))=0A+=20=20=20=20=
(apply=20#'make-process=20params)))=0A+=0A+(provide=20'sandbox)=0A--=20=0A=
2.21.1=20(Apple=20Git-122.3)=0A=0A=

--Apple-Mail=_E7692CE5-7A32-4E92-BD0A-A145CC42C55F--