From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Eli Zaretskii Newsgroups: gmane.emacs.bugs Subject: bug#45198: 28.0.50; Sandbox mode Date: Sat, 17 Apr 2021 22:23:26 +0300 Message-ID: <83fszovhox.fsf@gnu.org> References: <5818DFAA-3A9C-4335-BAAF-1227A02C290A@acm.org> <19511709-E42B-4ABD-9823-39EA08A79B1F@gmail.com> <83v98kvr7y.fsf@gnu.org> <9A5BCDF3-6543-46C0-AB56-2311392FC549@gmail.com> <83tuo4vqet.fsf@gnu.org> <83r1j8vpku.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="440"; mail-complaints-to="usenet@ciao.gmane.io" Cc: alan@idiocy.org, mattiase@acm.org, 45198@debbugs.gnu.org, stefankangas@gmail.com, joaotavora@gmail.com, monnier@iro.umontreal.ca To: Philipp Stephani Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Sat Apr 17 21:24:11 2021 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lXqY7-000AaA-BJ for geb-bug-gnu-emacs@m.gmane-mx.org; Sat, 17 Apr 2021 21:24:11 +0200 Original-Received: from localhost ([::1]:55992 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lXqY6-0003Jh-Cz for geb-bug-gnu-emacs@m.gmane-mx.org; Sat, 17 Apr 2021 15:24:10 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:36982) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lXqXz-0003II-3I for bug-gnu-emacs@gnu.org; Sat, 17 Apr 2021 15:24:03 -0400 Original-Received: from debbugs.gnu.org ([209.51.188.43]:33120) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lXqXy-0004w2-1o for bug-gnu-emacs@gnu.org; Sat, 17 Apr 2021 15:24:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lXqXx-0000gt-Si for bug-gnu-emacs@gnu.org; Sat, 17 Apr 2021 15:24:01 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Eli Zaretskii Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sat, 17 Apr 2021 19:24:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 45198 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: patch Original-Received: via spool by 45198-submit@debbugs.gnu.org id=B45198.16186874332641 (code B ref 45198); Sat, 17 Apr 2021 19:24:01 +0000 Original-Received: (at 45198) by debbugs.gnu.org; 17 Apr 2021 19:23:53 +0000 Original-Received: from localhost ([127.0.0.1]:44666 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lXqXo-0000gX-L8 for submit@debbugs.gnu.org; Sat, 17 Apr 2021 15:23:52 -0400 Original-Received: from eggs.gnu.org ([209.51.188.92]:52554) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lXqXm-0000gK-C6 for 45198@debbugs.gnu.org; Sat, 17 Apr 2021 15:23:50 -0400 Original-Received: from fencepost.gnu.org ([2001:470:142:3::e]:38923) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lXqXd-0004m1-HX; Sat, 17 Apr 2021 15:23:42 -0400 Original-Received: from 84.94.185.95.cable.012.net.il ([84.94.185.95]:2806 helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1lXqXd-0003Vt-07; Sat, 17 Apr 2021 15:23:41 -0400 In-Reply-To: (message from Philipp Stephani on Sat, 17 Apr 2021 21:14:02 +0200) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.io gmane.emacs.bugs:204258 Archived-At: > From: Philipp Stephani > Date: Sat, 17 Apr 2021 21:14:02 +0200 > Cc: Mattias Engdegård , > João Távora , > 45198@debbugs.gnu.org, Stefan Kangas , > Stefan Monnier , Alan Third > > > "Performing computations" in Emacs corresponds to invoking gobs of > > system interfaces, and if we are going to filter most of them, I fear > > we will get a dysfunctional Emacs. E.g., cursor blinking requires > > accessing the system time, displaying a busy cursor requires interval > > timers, profiling requires signals, and you cannot do anything in > > Emacs without being able to allocate memory. If we leave Emacs only > > with capabilities to read and write to a couple of descriptors, how > > will the result be useful? > > We would definitely allow more stuff (e.g. some other syscalls are > required for Emacs to even start up). For example, Emacs needs to > allocate memory and thus needs mmap/sbrk. Timing functions are not > security-sensitive (timing attacks exist, but should be prevented in > this case by blocking any relevant use of the data such obtained), and > signals only affect the sandboxed Emacs process. The two big things we > need to prevent is writing arbitrary files and creating sockets. So you are going to suggest that we rely on some auditing of the syscalls Emacs uses now to decide which ones to filter and which not? If so, how will this work in the future, when Emacs might decide to issue some additional syscalls? who and how will remember to update the filter definitions? And what about users who make local changes in their Emacs? > At least initially we should only care about batch mode, though - > nothing prevents interactive mode in a sandbox in principle, but batch > mode is much easier to deal with, and suffices for the Flymake use > case. I understand why batch mode might be easier to deal with, but I'm not sure we should care more about it just because it's easier.