From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Eli Zaretskii Newsgroups: gmane.emacs.bugs Subject: bug#45198: 28.0.50; Sandbox mode Date: Sat, 17 Apr 2021 19:33:05 +0300 Message-ID: <83r1j8vpku.fsf@gnu.org> References: <5818DFAA-3A9C-4335-BAAF-1227A02C290A@acm.org> <19511709-E42B-4ABD-9823-39EA08A79B1F@gmail.com> <83v98kvr7y.fsf@gnu.org> <9A5BCDF3-6543-46C0-AB56-2311392FC549@gmail.com> <83tuo4vqet.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="3071"; mail-complaints-to="usenet@ciao.gmane.io" Cc: alan@idiocy.org, mattiase@acm.org, 45198@debbugs.gnu.org, stefankangas@gmail.com, joaotavora@gmail.com, monnier@iro.umontreal.ca To: Philipp Stephani Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Sat Apr 17 18:34:17 2021 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lXntg-0000fz-Us for geb-bug-gnu-emacs@m.gmane-mx.org; Sat, 17 Apr 2021 18:34:16 +0200 Original-Received: from localhost ([::1]:42676 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lXntg-0006mP-2a for geb-bug-gnu-emacs@m.gmane-mx.org; Sat, 17 Apr 2021 12:34:16 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:55684) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lXntS-0006kd-TZ for bug-gnu-emacs@gnu.org; Sat, 17 Apr 2021 12:34:02 -0400 Original-Received: from debbugs.gnu.org ([209.51.188.43]:60921) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lXntS-0002L7-LV for bug-gnu-emacs@gnu.org; Sat, 17 Apr 2021 12:34:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lXntS-0004gY-IV for bug-gnu-emacs@gnu.org; Sat, 17 Apr 2021 12:34:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Eli Zaretskii Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sat, 17 Apr 2021 16:34:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 45198 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: patch Original-Received: via spool by 45198-submit@debbugs.gnu.org id=B45198.161867720917971 (code B ref 45198); Sat, 17 Apr 2021 16:34:02 +0000 Original-Received: (at 45198) by debbugs.gnu.org; 17 Apr 2021 16:33:29 +0000 Original-Received: from localhost ([127.0.0.1]:44234 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lXnsv-0004fm-AI for submit@debbugs.gnu.org; Sat, 17 Apr 2021 12:33:29 -0400 Original-Received: from eggs.gnu.org ([209.51.188.92]:43052) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lXnsu-0004fb-F1 for 45198@debbugs.gnu.org; Sat, 17 Apr 2021 12:33:28 -0400 Original-Received: from fencepost.gnu.org ([2001:470:142:3::e]:36226) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lXnso-00023D-Do; Sat, 17 Apr 2021 12:33:22 -0400 Original-Received: from 84.94.185.95.cable.012.net.il ([84.94.185.95]:4186 helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1lXnsk-0000zr-7w; Sat, 17 Apr 2021 12:33:21 -0400 In-Reply-To: (message from Philipp Stephani on Sat, 17 Apr 2021 18:20:15 +0200) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.io gmane.emacs.bugs:204226 Archived-At: > From: Philipp Stephani > Date: Sat, 17 Apr 2021 18:20:15 +0200 > Cc: Mattias Engdegård , > João Távora , > 45198@debbugs.gnu.org, Stefan Kangas , > Stefan Monnier , Alan Third > > That's a fair statement, and I'll try to answer here (and hopefully > later in the other thread as well). The sandbox should be able to > perform operations that are in some sense not security-relevant: > mostly performing computations, reading some necessary files, and > writing some diagnostics to standard output. The initial use case can > be running byte compilation in a Flymake backend. This would allow us > to enable Flymake byte compilation support by default, even on > untrusted code, because due to the sandbox that code could never > perform harmful operations. The Flymake backend would then use the > high-level sandbox functions to asynchronously start byte compilation > in a sandbox. The start-sandbox function in turn would launch an Emacs > subprocess using bwrap or similar to set up appropriate mount > namespaces and apply a Seccomp filter (in the GNU/Linux case). Thanks. I think I understand the general idea, but not how to translate that into real life. "Performing computations" in Emacs corresponds to invoking gobs of system interfaces, and if we are going to filter most of them, I fear we will get a dysfunctional Emacs. E.g., cursor blinking requires accessing the system time, displaying a busy cursor requires interval timers, profiling requires signals, and you cannot do anything in Emacs without being able to allocate memory. If we leave Emacs only with capabilities to read and write to a couple of descriptors, how will the result be useful? Even if Flymake byte compilation can live in such a sandbox (and I'm not yet certain it can), is that the most important situation where untrusted code could be run by Emacs?