From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!.POSTED!not-for-mail
From: =?utf-8?B?Sm/Do28gVMOhdm9yYQ==?= <joaotavora@gmail.com>
Newsgroups: gmane.emacs.devel
Subject: Re: Sandboxing
Date: Fri, 14 Dec 2018 01:35:07 +0000
Message-ID: <87efakao1g.fsf@gmail.com>
References: <20181204233600.7907.75252@vcs0.savannah.gnu.org>
	<20181204233601.273DD209DC@vcs0.savannah.gnu.org>
	<jwvzhtkfvgg.fsf-monnier+emacsdiffs@gnu.org>
	<wftvjrsq0v.fsf@fencepost.gnu.org>
	<CALDnm524yZReQO_gN7-8nLQuoUNXcSLgZQT=rvOw5mAbJS9h9g@mail.gmail.com>
	<87sgz89mpu.fsf_-_@gmail.com>
	<jwvsgz859cf.fsf-monnier+emacsdiffs@gnu.org>
	<87mupe9qqw.fsf@gmail.com>
	<jwv1s6qcfc2.fsf-monnier+emacsdiffs@gnu.org>
	<87in019dle.fsf@gmail.com>
	<jwv4lbjc1if.fsf-monnier+gmane.emacs.devel@gnu.org>
NNTP-Posting-Host: blaine.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Trace: blaine.gmane.org 1544751279 17701 195.159.176.226 (14 Dec 2018 01:34:39 GMT)
X-Complaints-To: usenet@blaine.gmane.org
NNTP-Posting-Date: Fri, 14 Dec 2018 01:34:39 +0000 (UTC)
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux)
Cc: emacs-devel@gnu.org
To: Stefan Monnier <monnier@iro.umontreal.ca>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Fri Dec 14 02:34:35 2018
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by blaine.gmane.org with esmtp (Exim 4.84_2)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1gXcN9-0004Ug-8Y
	for ged-emacs-devel@m.gmane.org; Fri, 14 Dec 2018 02:34:35 +0100
Original-Received: from localhost ([::1]:58113 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1gXcPG-0007q0-2X
	for ged-emacs-devel@m.gmane.org; Thu, 13 Dec 2018 20:36:46 -0500
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:58214)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <joaotavora@gmail.com>) id 1gXcNq-0007GP-38
	for emacs-devel@gnu.org; Thu, 13 Dec 2018 20:35:18 -0500
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <joaotavora@gmail.com>) id 1gXcNk-0002bh-W2
	for emacs-devel@gnu.org; Thu, 13 Dec 2018 20:35:17 -0500
Original-Received: from mail-wr1-x42f.google.com ([2a00:1450:4864:20::42f]:44540)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <joaotavora@gmail.com>)
	id 1gXcNk-0002Yv-Nt
	for emacs-devel@gnu.org; Thu, 13 Dec 2018 20:35:12 -0500
Original-Received: by mail-wr1-x42f.google.com with SMTP id z5so3865212wrt.11
	for <emacs-devel@gnu.org>; Thu, 13 Dec 2018 17:35:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=from:to:cc:subject:references:date:in-reply-to:message-id
	:user-agent:mime-version:content-transfer-encoding;
	bh=qkJBb6fpempUx4dXkyP+d0LPBA6o8oN36hmmXNVTjw8=;
	b=VbDE+eSZ2VOgmhlM7roCiD68vhyJNpCjU+aG6DZCO8xj3DvcgX1ZdNA5i3U7AAREum
	wWFjmqyPBRDUenmn/sPDUQ7R+49ANtwsZSv8XHo5suqGhiJ7FDz2SypgQQ60OrvQv8pc
	P99NwKfI3KWizFkMcptDhdPMCabW7wDHqU4ekJnWjX7jMvx8OVdKd05/KkDTspiRTbSm
	n3S1PtuEQFCod99J9czvPNFHWKFwXqEfbawVlcK4drGDYpI158ddDGM7whvbPobGcOAD
	H1/Cx8PnM0LySb3Xpmid9yTJImI1OFDvtdbuRRqBW3BxrrLngecYMrRBWgsDjdzYmsa5
	N5BQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to
	:message-id:user-agent:mime-version:content-transfer-encoding;
	bh=qkJBb6fpempUx4dXkyP+d0LPBA6o8oN36hmmXNVTjw8=;
	b=Ctt5fSEFi1dM6bXNMz+0tXpHXOVXKqV3iag6vG+1r/WkhKjjDY/loRHkO6+xt2J4f7
	/tA3vAqslPEzKTJRmYFO2Dp0UrIfDexgqh5xPGDWysLRM3HS4fmqu7yC6S6MZG5Qks7Y
	eb96ATu1/3492rhUZPuxWwF8c3KjmI5SrGXkZ1rbrRuSOW2eyA4pBaTA6u7yiqbExhQ0
	7jydUAU6d0lQXfReO6ymXYx8y3DdldJ+gdKCi/OSrZgIaazM8e20dJChSowQZA3IX86q
	bsi4HYMFLmqWRzlTjd0yBmyK7iGDb8hSijiWEMGf3Su2qnJM7jK2EoJwT6/4Acu5qsEh
	aCUA==
X-Gm-Message-State: AA+aEWamQTGf6D5BKyLSFiOqhHoIZKFdNsh77Al90FyqbKseP+pM4bZI
	OUewBagWkxCHSicJagCtxDsWS0nQ
X-Google-Smtp-Source: AFSGD/UG1Fy76nvFYyr5+TckwDcbidYA7fpFt7zkmc2Z2jdT/23hZqadxo+2F6U0jEgLZ+KZ0+98Rw==
X-Received: by 2002:adf:9c8a:: with SMTP id d10mr824123wre.244.1544751311192; 
	Thu, 13 Dec 2018 17:35:11 -0800 (PST)
Original-Received: from lolita.yourcompany.com (188.139.62.94.rev.vodafone.pt.
	[94.62.139.188]) by smtp.gmail.com with ESMTPSA id
	h62sm2721317wmf.11.2018.12.13.17.35.09
	(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
	Thu, 13 Dec 2018 17:35:10 -0800 (PST)
In-Reply-To: <jwv4lbjc1if.fsf-monnier+gmane.emacs.devel@gnu.org> (Stefan
	Monnier's message of "Tue, 11 Dec 2018 14:30:43 -0500")
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
	recognized.
X-Received-From: 2a00:1450:4864:20::42f
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-devel/>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Original-Sender: "Emacs-devel" <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Xref: news.gmane.org gmane.emacs.devel:231817
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/231817>

Stefan Monnier <monnier@iro.umontreal.ca> writes:

>>> Providing ways to run Elisp in a confined environment would be useful in
>>> various circumstances, but it's non-trivial.
>> I can understand that, but I'm not proposing a fully hermetic sandbox
>> just something that ameliorates the problem.
>
> I think a first step might be to add a new boolean var
> `disallow-unsafe-effects` and then go through the C code to check this
> var whenever we do something "dangerous" (e.g. change a global var,
> launch a process, ...).
>
> I suspect that a boolean will be too coarse in the long run (we'll
> probably want to split this into different domains, maybe with some kind
> of capabilities, or maybe monitor the effect, or god knows what), but we
> need to start somewhere

Indeed we do.  Just a couple of checks in src/fileio.c, delete_file and
delete_directory_internal would be a great start.  Then a couple more
and so on.

Jo=C3=A3o