From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Lars Ingebrigtsen Newsgroups: gmane.emacs.bugs Subject: bug#56359: seccomp test failures on RHEL 9.0 Date: Tue, 11 Oct 2022 21:47:28 +0200 Message-ID: <87a662f8hb.fsf@gnus.org> References: <2094647B-7360-41F4-8AB0-ADFC835288E8@gmail.com> <87y1vjay6b.fsf@tcd.ie> <87edvfji2y.fsf@gnus.org> <87lepm5yfo.fsf@tcd.ie> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="40478"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Gnus/5.13 (Gnus v5.13) Cc: "Basil L. Contovounesios" , Glenn Morris , Philipp Stephani , 56359@debbugs.gnu.org To: Paul Eggert Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Tue Oct 11 21:48:16 2022 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1oiLEe-000AMt-4x for geb-bug-gnu-emacs@m.gmane-mx.org; Tue, 11 Oct 2022 21:48:16 +0200 Original-Received: from localhost ([::1]:54674 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oiLEd-0006Wf-0H for geb-bug-gnu-emacs@m.gmane-mx.org; Tue, 11 Oct 2022 15:48:15 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:51362) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oiLEQ-0006TD-Va for bug-gnu-emacs@gnu.org; Tue, 11 Oct 2022 15:48:02 -0400 Original-Received: from debbugs.gnu.org ([209.51.188.43]:55861) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1oiLEQ-0000WC-LM for bug-gnu-emacs@gnu.org; Tue, 11 Oct 2022 15:48:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1oiLEQ-0000oE-Ed for bug-gnu-emacs@gnu.org; Tue, 11 Oct 2022 15:48:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Lars Ingebrigtsen Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Tue, 11 Oct 2022 19:48:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 56359 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: moreinfo Original-Received: via spool by 56359-submit@debbugs.gnu.org id=B56359.16655176612995 (code B ref 56359); Tue, 11 Oct 2022 19:48:02 +0000 Original-Received: (at 56359) by debbugs.gnu.org; 11 Oct 2022 19:47:41 +0000 Original-Received: from localhost ([127.0.0.1]:54939 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oiLE5-0000mD-BZ for submit@debbugs.gnu.org; Tue, 11 Oct 2022 15:47:41 -0400 Original-Received: from quimby.gnus.org ([95.216.78.240]:42846) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oiLE2-0000ly-Tz for 56359@debbugs.gnu.org; Tue, 11 Oct 2022 15:47:39 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnus.org; s=20200322; h=Content-Type:MIME-Version:Message-ID:Date:References: In-Reply-To:Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=ua/AzcE6LptssrX7V60GYMPAHCWfANNgKf5DNjRuWjg=; b=aqhMHPvAcgoOHFGTJDmOLxOeZK XbqWHikr7m5jp/+zTXtGuPjRmA42UyJvP6CuVN9jd7XtvMjTlwm9TjY5ffqrbA5WyIx9fFigTV6aq 1Yp79bSalqai/Kk8pzgvq4zfnYUhQV/8k57kp+W3RhE6Usl2zNJ5BQu7+ZjkehQfxMdE=; Original-Received: from [84.212.220.105] (helo=downe) by quimby.gnus.org with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1oiLDt-0007jy-0m; Tue, 11 Oct 2022 21:47:31 +0200 In-Reply-To: (Paul Eggert's message of "Tue, 11 Oct 2022 10:43:45 -0700") X-Now-Playing: Kid Sister's _Ultra Violet_: "54321" X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.io gmane.emacs.bugs:245138 Archived-At: Paul Eggert writes: > My "fix" involved allowing all uses of clone3, which (as Philipp noted > in August) is problematic. I'm not sure what's being tested for, but > if clone3 lets you evade the checks then the test is arguably more > trouble than it's worth. Would marking it as :unstable lessen the > number of false alarms we're getting? If not, perhaps we should remove > it or mark it as :dont-use-unless-you-know-what-youre-doing or > whatever. And pidfd_open also sounds like a non-safe call (without looking at it closely). Skimming the tests, they seem to test pretty basic functionality in the seccomp area -- that is, without allowing pidfd_open/clone3, nothing will be able to run using the seccomp functionality. But since those are somewhat unsafe, then... what's the point? But I may be missing how this is supposed to be used altogether.