bug#45198: 28.0.50; Sandbox mode

[Philipp Stephani <p.stephani2@gmail.com>]

Am Do., 17. Dez. 2020 um 18:56 Uhr schrieb Mattias Engdegård <mattiase@acm.org>:
>
> 17 dec. 2020 kl. 14.08 skrev Philipp Stephani <p.stephani2@gmail.com>:
>
> > Dynamic libraries tend to start threads for background work, so while
> > there aren't that many, they still exist.
>
> Well, there's no accounting for taste. Still, I'm not ready to close the door to possible solutions until they really do appear to lead no way. (It's not an urgent concern since we will need a traditional fork-exec solution first of all.)

Yeah, I didn't want to imply to close the door, just to first start
with what we need to solve the task at hand.

>
> > I haven't tried this out yet, but allowing reads from load-path
> > entries plus the installation directory should be fine.
>
> Assuming this is sufficient; I think autoloaded definitions can specify files in arbitrary directories, not necessarily in the load-path.

Sure, but things like Flymake byte-compilation are best-effort anyway.
It's fine to (at least initially) not cover a few "exotic" cases.

>
> > Yes, but see my other comment: restricting an open policy after the
> > fact is much harder than opening up an initially-restrictive one, so
> > I'd really start with a restrictive one (no file reading allowed
> > except for allowed directories and files).
>
> Depends on the platform I suppose -- macOS and BSD should work either way. On Linux it depends on the method used; I admit not having looked closely at seccomp lately.

Ah, I was talking about the engineering/product management aspect, not
about the technical one: If you start with an initially-open sandbox
policy, locking it down in future releases is much harder than the
other way round.

>
> > The gains are largely realized using threads these days.
>
> Indeed, although forking still has a few niche uses. (For there record I'm a firm believer that the fork-exec model was a mistake from its inception, but now that it's there...)
>
> Emacs would be better served with threads, too, if it weren't that (I) we don't have a good threading story yet and (II) Elisp code can cause way too much damage at compile time. Fixing either would bring many other benefits!

Yeah, and while there are a few ideas (the "web worker" model looks
most promising), we're not even close to having a design yet.

>
> > I'd think that we'd always run the sandboxed Emacs with --quick
> > --batch and an empty environment (to provide for some reproducibility
> > and avoid LD_PRELOAD attacks etc.), and then startup tends to be fast
> > enough (emacs -Q -batch takes ~50 ms on my system).
>
> That's not quite fair; the byte-compiler needs the right load-path and autoload definitions, and the byte-compiler itself needs to be loaded as well. (Anyone who can set LD_PRELOAD already has the machine.)
>
> The easiest way is to run the user's init file. Perhaps it's possible to just transmit a list of paths and packages to the subprocess as arguments but the user may have things loaded or defined outside the standard package manager.
>

We should be very hesitant to use the easiest way. Often it's the
wrong way, and fixing things after the fact tends to be hard. Again,
the goal is not to provide a perfect solution that works for all ELisp
files, but something that works well for "typical" use cases. We
should definitely run the subprocess with --quick --batch and an empty
environment by default, not only for security and speed, but also for
reproducibility. That's also what Flycheck does
(https://github.com/flycheck/flycheck/blob/a11b789807d1d942d6fcfac17508d072b9cf7ba8/flycheck.el#L8435)