From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!.POSTED!not-for-mail
From: =?UTF-8?Q?Cl=c3=a9ment_Pit-Claudel?= <cpitclaudel@gmail.com>
Newsgroups: gmane.emacs.devel
Subject: Re: package security auditing and isolation
Date: Thu, 6 Apr 2017 16:17:17 -0400
Message-ID: <bc411980-7ebc-4b06-4104-76eee16a272b@gmail.com>
References: <87h9211v1c.fsf@lifelogs.com>
	<CAP_d_8WkpT9vr5Js4Uy=t+U2zv5gkk2FgCFkadFcTWXEwgd-Xg@mail.gmail.com>
	<87d1cp1qvd.fsf@lifelogs.com>
	<jwv7f2xwgnk.fsf-monnier+gmane.emacs.devel@gnu.org>
	<8737dl1gol.fsf@lifelogs.com>
NNTP-Posting-Host: blaine.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
X-Trace: blaine.gmane.org 1491509851 5912 195.159.176.226 (6 Apr 2017 20:17:31 GMT)
X-Complaints-To: usenet@blaine.gmane.org
NNTP-Posting-Date: Thu, 6 Apr 2017 20:17:31 +0000 (UTC)
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
	Thunderbird/45.8.0
To: emacs-devel@gnu.org
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Thu Apr 06 22:17:26 2017
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by blaine.gmane.org with esmtp (Exim 4.84_2)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1cwDqM-0000UQ-55
	for ged-emacs-devel@m.gmane.org; Thu, 06 Apr 2017 22:17:22 +0200
Original-Received: from localhost ([::1]:47569 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1cwDqS-0003D0-4o
	for ged-emacs-devel@m.gmane.org; Thu, 06 Apr 2017 16:17:28 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:37878)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <cpitclaudel@gmail.com>) id 1cwDqK-0003Cq-WE
	for emacs-devel@gnu.org; Thu, 06 Apr 2017 16:17:21 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <cpitclaudel@gmail.com>) id 1cwDqK-0000q2-7c
	for emacs-devel@gnu.org; Thu, 06 Apr 2017 16:17:20 -0400
Original-Received: from mail-io0-x232.google.com ([2607:f8b0:4001:c06::232]:33764)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <cpitclaudel@gmail.com>)
	id 1cwDqK-0000ps-3A
	for emacs-devel@gnu.org; Thu, 06 Apr 2017 16:17:20 -0400
Original-Received: by mail-io0-x232.google.com with SMTP id t68so3785327iof.0
	for <emacs-devel@gnu.org>; Thu, 06 Apr 2017 13:17:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=subject:to:references:from:message-id:date:user-agent:mime-version
	:in-reply-to:content-transfer-encoding;
	bh=FpkbQvPcKY05xJ6AFDG9efCdxk11kp+qiAO7XCG453Y=;
	b=YtlmgJ+OOBO0Q0c9xgJ0GgYvQBkiVDwGS5v2iGLvZ35vUhdN3QlZQLbYRzrnA1pi6T
	HChREMRHgK4MfSrXW89HjdeN1axHDNWfJlg/u6qdUE0+CSXZ6w5L2DFcPW4ZTtDk0x/H
	A7vLOJlKX1EuvjgIiPw90s91yplZHCCItzfVrqsaJGKMHb7L9vaTpWY4hYJkWnsOpyGm
	VdCahg1xzduhJ7e54cKvtW1F4sUjRfpbqUe2STuWU5rUPoAbafKHCtKcII7MqHN5Z8rI
	4prRk1o0SjQJMeldj3RMzqvfRpzes5f6OYgZVrF+DnGrdz4qtiRC66UJoDn1/TE0F6Oj
	PDTA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:subject:to:references:from:message-id:date
	:user-agent:mime-version:in-reply-to:content-transfer-encoding;
	bh=FpkbQvPcKY05xJ6AFDG9efCdxk11kp+qiAO7XCG453Y=;
	b=WWSJS4JtktU8A9CiK+Hw8WdcaktTnL8V3jnIgjFpA4sLoNOkryI/3BDgtsUTVeMJtO
	qlBJ9EUNQfiCW+ExEKrIWV/7wQizvva6EQcU7d+4Cq22si6DzlzLT/jGZ3eqTkzYZGQA
	47hJIdKo+TrYyl0yEiBZoQwTwbzlUXHOwxF+XmmZKQQsDsvW1DtqQ3grGm8lHRG2NSY+
	+aPovKH75kljnN2lhmIaAJmIjwQf9JJhgsyrGeLNtNTEQJBFxnc6frp18GQNRP+qWtFe
	Ih3p+/m1scVMWEoXLddmCI8SFcZUfOkxJLBWBSZlQsqDzjsWYNxlCskbx9gHiSLOAtWe
	6+/g==
X-Gm-Message-State: AFeK/H0Ev6ovU4UvNTjwCDblXof5oXJhlvf5YCf+ggeqCJpY8SWwW6hCny5o8tVEGniPcw==
X-Received: by 10.107.23.6 with SMTP id 6mr35178279iox.14.1491509839181;
	Thu, 06 Apr 2017 13:17:19 -0700 (PDT)
Original-Received: from ?IPv6:2001:470:8b2d:1a:9bab:c177:73b2:20a9?
	([2001:470:8b2d:1a:9bab:c177:73b2:20a9])
	by smtp.gmail.com with ESMTPSA id
	123sm1451700iow.28.2017.04.06.13.17.18 for <emacs-devel@gnu.org>
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Thu, 06 Apr 2017 13:17:18 -0700 (PDT)
In-Reply-To: <8737dl1gol.fsf@lifelogs.com>
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2607:f8b0:4001:c06::232
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-devel/>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Original-Sender: "Emacs-devel" <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Xref: news.gmane.org gmane.emacs.devel:213723
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/213723>

On 2017-04-06 15:26, Ted Zlatanov wrote:
> a) Can the parse tree of a package be analyzed safely (without running
> code in the package)? Is it deterministic?

Yes if you mean the parse tree, but no if you mean the expanded syntax tree:  you need to run macros to see the full AST, and macros can run arbitrary code.  You could apply a first analysis pass to the macros, decide that they are safe, expand, and run the analysis again; but see (b)

> b) If the parse tree of a package is analyzed, and only has whitelisted
> functions such as `string-equal' in it, does that make the package safe?

Just looking at the parse tree isn't enough, because macros.  The AST is better, but still no: it's not hard to crash Emacs from ELisp, e.g. by causing stack overflows.  That would allow you to escape most protections, I expect.  Without going to such extremes, it's hard to think of what a good whitelist would look like.