From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Mattias =?UTF-8?Q?Engdeg=C3=A5rd?= Newsgroups: gmane.emacs.bugs Subject: bug#45198: 28.0.50; Sandbox mode Date: Wed, 30 Dec 2020 15:59:19 +0100 Message-ID: References: Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.17\)) Content-Type: multipart/mixed; boundary="Apple-Mail=_D73D3F94-4567-4C01-8C2E-AC319FE69E44" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="27396"; mail-complaints-to="usenet@ciao.gmane.io" Cc: Alan Third , Bastien , Philipp Stephani , Stefan Kangas , =?UTF-8?Q?Jo=C3=A3o_?= =?UTF-8?Q?T=C3=A1vora?= , Stefan Monnier To: 45198@debbugs.gnu.org Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Wed Dec 30 16:00:19 2020 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kucxW-000700-1y for geb-bug-gnu-emacs@m.gmane-mx.org; Wed, 30 Dec 2020 16:00:18 +0100 Original-Received: from localhost ([::1]:53962 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kucxV-0008EM-3a for geb-bug-gnu-emacs@m.gmane-mx.org; Wed, 30 Dec 2020 10:00:17 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:42798) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kucxH-0008E6-3r for bug-gnu-emacs@gnu.org; Wed, 30 Dec 2020 10:00:03 -0500 Original-Received: from debbugs.gnu.org ([209.51.188.43]:38992) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1kucxG-0005Sr-R8 for bug-gnu-emacs@gnu.org; Wed, 30 Dec 2020 10:00:02 -0500 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1kucxG-0005Y8-OT for bug-gnu-emacs@gnu.org; Wed, 30 Dec 2020 10:00:02 -0500 X-Loop: help-debbugs@gnu.org In-Reply-To: Resent-From: Mattias =?UTF-8?Q?Engdeg=C3=A5rd?= Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Wed, 30 Dec 2020 15:00:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 45198 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: patch Original-Received: via spool by 45198-submit@debbugs.gnu.org id=B45198.160934036821231 (code B ref 45198); Wed, 30 Dec 2020 15:00:02 +0000 Original-Received: (at 45198) by debbugs.gnu.org; 30 Dec 2020 14:59:28 +0000 Original-Received: from localhost ([127.0.0.1]:50533 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kucwi-0005WN-1O for submit@debbugs.gnu.org; Wed, 30 Dec 2020 09:59:28 -0500 Original-Received: from mail205c50.megamailservers.eu ([91.136.10.215]:56796 helo=mail193c50.megamailservers.eu) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kucwf-0005W4-4e for 45198@debbugs.gnu.org; Wed, 30 Dec 2020 09:59:26 -0500 X-Authenticated-User: mattiase@bredband.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=megamailservers.eu; s=maildub; t=1609340363; bh=F6FuE04fNiqMycyD6dDQBbOboz6a//MCtgyXf6qqiQ8=; h=From:Subject:Date:Cc:To:From; b=LIYping6Q4XAfDD1lcN8mHGbL/+bec59+V0CjXJ+Iyr56viwcLiz3EtwLuhVuOiGN XPUF8BcXgyehUS5UZB85JgMCkUJPEApiRQF5ASP/koI2Dvz+wzyrYY6JeLKiDPWvoa xThXKR3ucKvayal4c3C4syLnmH0O7pwVyO2bSF28= Feedback-ID: mattiase@acm.or Original-Received: from [192.168.0.4] (c188-150-171-71.bredband.comhem.se [188.150.171.71]) (authenticated bits=0) by mail193c50.megamailservers.eu (8.14.9/8.13.1) with ESMTP id 0BUExKEk021256; Wed, 30 Dec 2020 14:59:21 +0000 X-Mailer: Apple Mail (2.3445.104.17) X-CTCH-RefID: str=0001.0A742F1A.5FEC95CB.0027, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0 X-CTCH-VOD: Unknown X-CTCH-Spam: Unknown X-CTCH-Score: 0.000 X-CTCH-Flags: 0 X-CTCH-ScoreCust: 0.000 X-CSC: 0 X-CHA: v=2.3 cv=TYHoSiYh c=1 sm=1 tr=0 a=SF+I6pRkHZhrawxbOkkvaA==:117 a=SF+I6pRkHZhrawxbOkkvaA==:17 a=M51BFTxLslgA:10 a=OCr-RfVi6S2wSVDVX0wA:9 a=CjuIK1q_8ugA:10 a=yiRCvGavlT-ZiGpzhI4A:9 a=De_Ol2h6w80A:10 a=pHzHmUro8NiASowvMSCR:22 a=Ew2E2A-JSTLzCXPT_086:22 X-Origin-Country: SE X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.io gmane.emacs.bugs:197034 Archived-At: --Apple-Mail=_D73D3F94-4567-4C01-8C2E-AC319FE69E44 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Here is a bare-bones macOS sandbox implementation. In practice, it would = probably be called in an --eval argument to guard anything executed = later. It should be sufficient for the typical untrusted flymake checker = running in an Emacs subprocess and printing to stdout/stderr. --Apple-Mail=_D73D3F94-4567-4C01-8C2E-AC319FE69E44 Content-Disposition: attachment; filename=macos-sandbox.diff Content-Type: application/octet-stream; x-unix-mode=0644; name="macos-sandbox.diff" Content-Transfer-Encoding: 7bit diff --git a/lisp/subr.el b/lisp/subr.el index ed0d6978d0..729c4ac70b 100644 --- a/lisp/subr.el +++ b/lisp/subr.el @@ -6036,4 +6036,18 @@ internal--format-docstring-line This is intended for internal use only." (internal--fill-string-single-line (apply #'format string objects))) +(defun sandbox-enter (dirs) + "Enter a sandbox only permitting reading files under DIRS. +DIRS is a list of directory names. Most other operations such as +writing files and network access are disallowed. +Existing open descriptors can still be used freely." + (unless (eq system-type 'darwin) + (error "not implemented on this platform")) + (macos-sandbox-init + (concat "(version 1)\n" + "(deny default)\n" + (mapconcat (lambda (dir) + (format "(allow file-read* (subpath %S))\n" dir)) + dirs "")))) + ;;; subr.el ends here diff --git a/src/sysdep.c b/src/sysdep.c index eeb9d18494..3b2da8c637 100644 --- a/src/sysdep.c +++ b/src/sysdep.c @@ -4054,8 +4054,33 @@ str_collate (Lisp_Object s1, Lisp_Object s2, } #endif /* WINDOWSNT */ +#ifdef DARWIN_OS + +/* This call is not in the platform header files. You just Have to Know. */ +int sandbox_init_with_parameters(const char *profile, + uint64_t flags, + const char *const parameters[], + char **errorbuf); + +DEFUN ("macos-sandbox-init", Fmacos_sandbox_init, Smacos_sandbox_init, + 1, 1, 0, + doc: /* Enter a sandbox whose permitted access is curtailed by PROFILE. +Already open descriptors can be used freely. */) + (Lisp_Object profile) +{ + char *err = NULL; + if (sandbox_init_with_parameters (SSDATA (profile), 0, NULL, &err) != 0) + error ("sandbox error: %s", err); + return Qnil; +} + +#endif /* DARWIN_OS */ + void syms_of_sysdep (void) { defsubr (&Sget_internal_run_time); +#ifdef DARWIN_OS + defsubr (&Smacos_sandbox_init); +#endif } --Apple-Mail=_D73D3F94-4567-4C01-8C2E-AC319FE69E44--