From mboxrd@z Thu Jan 1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: Philipp Stephani
Newsgroups: gmane.emacs.bugs
Subject: bug#45198: 28.0.50; Sandbox mode
Date: Sat, 17 Apr 2021 21:14:02 +0200
Message-ID:
References: <5818DFAA-3A9C-4335-BAAF-1227A02C290A@acm.org>
<19511709-E42B-4ABD-9823-39EA08A79B1F@gmail.com>
<83v98kvr7y.fsf@gnu.org> <9A5BCDF3-6543-46C0-AB56-2311392FC549@gmail.com>
<83tuo4vqet.fsf@gnu.org>
<83r1j8vpku.fsf@gnu.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
logging-data="3838"; mail-complaints-to="usenet@ciao.gmane.io"
Cc: Alan Third ,
Mattias =?UTF-8?Q?Engdeg=C3=A5rd?= , 45198@debbugs.gnu.org,
Stefan Kangas ,
=?UTF-8?Q?Jo=C3=A3o_?= =?UTF-8?Q?T=C3=A1vora?= ,
Stefan Monnier
To: Eli Zaretskii
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Sat Apr 17 21:15:48 2021
Return-path:
Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.92)
(envelope-from )
id 1lXqPz-0000rA-6e
for geb-bug-gnu-emacs@m.gmane-mx.org; Sat, 17 Apr 2021 21:15:47 +0200
Original-Received: from localhost ([::1]:41208 helo=lists1p.gnu.org)
by lists.gnu.org with esmtp (Exim 4.90_1)
(envelope-from )
id 1lXqPy-0004wb-8i
for geb-bug-gnu-emacs@m.gmane-mx.org; Sat, 17 Apr 2021 15:15:46 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:35276)
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from )
id 1lXqPG-0004us-GP
for bug-gnu-emacs@gnu.org; Sat, 17 Apr 2021 15:15:02 -0400
Original-Received: from debbugs.gnu.org ([209.51.188.43]:33073)
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
(Exim 4.90_1) (envelope-from )
id 1lXqPG-0007vI-7c
for bug-gnu-emacs@gnu.org; Sat, 17 Apr 2021 15:15:02 -0400
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
(envelope-from ) id 1lXqPG-0000QY-2W
for bug-gnu-emacs@gnu.org; Sat, 17 Apr 2021 15:15:02 -0400
X-Loop: help-debbugs@gnu.org
Resent-From: Philipp Stephani
Original-Sender: "Debbugs-submit"
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Sat, 17 Apr 2021 19:15:02 +0000
Resent-Message-ID:
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 45198
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: patch
Original-Received: via spool by 45198-submit@debbugs.gnu.org id=B45198.16186868621568
(code B ref 45198); Sat, 17 Apr 2021 19:15:02 +0000
Original-Received: (at 45198) by debbugs.gnu.org; 17 Apr 2021 19:14:22 +0000
Original-Received: from localhost ([127.0.0.1]:44616 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from )
id 1lXqOb-0000PE-UE
for submit@debbugs.gnu.org; Sat, 17 Apr 2021 15:14:22 -0400
Original-Received: from mail-oi1-f176.google.com ([209.85.167.176]:33566)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from ) id 1lXqOZ-0000P1-Gm
for 45198@debbugs.gnu.org; Sat, 17 Apr 2021 15:14:20 -0400
Original-Received: by mail-oi1-f176.google.com with SMTP id l131so26389818oih.0
for <45198@debbugs.gnu.org>; Sat, 17 Apr 2021 12:14:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to
:cc:content-transfer-encoding;
bh=7i4zwekH/SOmp47Odq46RfyKqQQAKHZjjgO0KhadM88=;
b=AAfiPJe9ISmfdxdZl7fAqZW7HANbxqIzvRLJ80dH9vcP9v9s1noGc42k2kLLrka7Fw
Xf9oHES7ifv0fME8vwIaCIoVgRjrxZ+T64UahogZEANYM+V9BL7lbby+3KzeI978M1Bo
RBLGksGXq+OisiISGQ//DZok0tpQitXTDVp9ACrcr3Vtsa6KSF9X70Y0Ew3/Z6NhGSDZ
F2CAy8Vdm+o5OOXkVosrpKpGUD0CQTwNYBu8g1WxMe+mng2jEKGDieWHbKvcRhXIlpWU
HGNzN+crD2BSONdqeMQoWl/CqgHhTXrz8sZjz1rAVdjp3VVz+7vdGaHOqBDfASsD+cCc
ZDUg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to:cc:content-transfer-encoding;
bh=7i4zwekH/SOmp47Odq46RfyKqQQAKHZjjgO0KhadM88=;
b=U0DkR5CEE3MQeqc8rxHzBJEo2Uo6KzeWkHqSSWvDqldirw9i8cpbLj6Mf1yr0IpNsf
rVB1eTCA8qCWfpo/sbw0AcP2smwRmPXXdY1KtfyiWFCaMQa1zBXwGPxC939pfEgeF1Yt
arOouyOq9+N29OdGk2JJHcq1GF24f2nfAtpgfdMWFOKweZeDPAh6Ups4TV82wtVwUbVY
Yy9SfX0bLqpvrA5Y18Mu7BFM+/DfUKXJ49mr/3VovUyi6VxhLLSv+qLdnqFZRdKEgPho
tTEI3g6lHwQlup069C9QZzfRdUuy7ZG6edUi+iUOGrFL5X51Gc2iLt6xuHhrp1MPj13E
lwew==
X-Gm-Message-State: AOAM532B9TdOz2uGBkHEYdn80N+RsMoJrPpwoXTysby+OceMAxN5UF7G
AIlu7HsDfB1o6jf46HCsy70ABlhmOwpBOVuC6go=
X-Google-Smtp-Source: ABdhPJy8YQKW6XTl8wa+/fFCGwShE4psCRdmLu3oAl6kCu7v/fcpZ6AOr0hhyrk0KWEMgt/qzP5LHRqwQtvzdDwjh2U=
X-Received: by 2002:aca:1814:: with SMTP id h20mr10675550oih.150.1618686853920;
Sat, 17 Apr 2021 12:14:13 -0700 (PDT)
In-Reply-To: <83r1j8vpku.fsf@gnu.org>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
the Swiss army knife of text editors"
List-Unsubscribe: ,
List-Archive:
List-Post:
List-Help:
List-Subscribe: ,
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org
Original-Sender: "bug-gnu-emacs"
Xref: news.gmane.io gmane.emacs.bugs:204250
Archived-At:
Am Sa., 17. Apr. 2021 um 18:33 Uhr schrieb Eli Zaretskii :
>
> > From: Philipp Stephani
> > Date: Sat, 17 Apr 2021 18:20:15 +0200
> > Cc: Mattias Engdeg=C3=A5rd ,
> > Jo=C3=A3o T=C3=A1vora ,
> > 45198@debbugs.gnu.org, Stefan Kangas ,
> > Stefan Monnier , Alan Third
> >
> > That's a fair statement, and I'll try to answer here (and hopefully
> > later in the other thread as well). The sandbox should be able to
> > perform operations that are in some sense not security-relevant:
> > mostly performing computations, reading some necessary files, and
> > writing some diagnostics to standard output. The initial use case can
> > be running byte compilation in a Flymake backend. This would allow us
> > to enable Flymake byte compilation support by default, even on
> > untrusted code, because due to the sandbox that code could never
> > perform harmful operations. The Flymake backend would then use the
> > high-level sandbox functions to asynchronously start byte compilation
> > in a sandbox. The start-sandbox function in turn would launch an Emacs
> > subprocess using bwrap or similar to set up appropriate mount
> > namespaces and apply a Seccomp filter (in the GNU/Linux case).
>
> Thanks. I think I understand the general idea, but not how to
> translate that into real life.
>
> "Performing computations" in Emacs corresponds to invoking gobs of
> system interfaces, and if we are going to filter most of them, I fear
> we will get a dysfunctional Emacs. E.g., cursor blinking requires
> accessing the system time, displaying a busy cursor requires interval
> timers, profiling requires signals, and you cannot do anything in
> Emacs without being able to allocate memory. If we leave Emacs only
> with capabilities to read and write to a couple of descriptors, how
> will the result be useful?
We would definitely allow more stuff (e.g. some other syscalls are
required for Emacs to even start up). For example, Emacs needs to
allocate memory and thus needs mmap/sbrk. Timing functions are not
security-sensitive (timing attacks exist, but should be prevented in
this case by blocking any relevant use of the data such obtained), and
signals only affect the sandboxed Emacs process. The two big things we
need to prevent is writing arbitrary files and creating sockets.
At least initially we should only care about batch mode, though -
nothing prevents interactive mode in a sandbox in principle, but batch
mode is much easier to deal with, and suffices for the Flymake use
case.
> Even if Flymake byte compilation can live
> in such a sandbox (and I'm not yet certain it can), is that the most
> important situation where untrusted code could be run by Emacs?
It's at least the situation described here, and I think it's pretty
important. Another potential use case would be to allow some
buffer-local evaluation.