Seccomp

Seccomp

[Eli Zaretskii]

I'm not sure I understand the user-level aspects of this feature.  Or
is this not a user-level feature?

The NEWS entry says:

  ** Emacs now supports loading a Secure Computing filter.
  This is supported only on capable GNU/Linux systems.  To activate,
  invoke Emacs with the '--seccomp=FILE' command-line option.  FILE must
  name a binary file containing an array of 'struct sock_filter'
  structures.  Emacs will then install that list of Secure Computing
  filters into its own process early during the startup process.  You
  can use this functionality to put an Emacs process in a sandbox to
  avoid security issues when executing untrusted code.  See the manual
  page for 'seccomp' system call, for details about Secure Computing
  filters.

Let's say I have an untrusted Lisp package that I want to sandbox --
what is the procedure to follow?

AFAIU, just running Emacs in seccomp mode is maybe safe, but not very
useful: Emacs will be almost instantly killed, as soon as the suspect
package tries to do anything at all.  Right?

This means I would need to prepare a filter file.  But how to know
which system calls to allow and under what conditions, given a Lisp
source code of a particular package?  And how to proceed with building
the filter file even if I know which syscalls I want to block?

I have read the seccomp man pages, but these questions are still
unanswered.  I wonder how will we be able to document this facility
when the time comes.