GNU bug report logs - #45198
28.0.50; Sandbox mode

Previous Next

Package: emacs;

Reported by: Stefan Monnier <monnier <at> iro.umontreal.ca>

Date: Sat, 12 Dec 2020 18:20:02 UTC

Severity: normal

Tags: patch

Found in version 28.0.50

Full log

Message #206 received at 45198 <at> debbugs.gnu.org (full text, mbox):

From: Eli Zaretskii <eliz <at> gnu.org>
To: Philipp Stephani <p.stephani2 <at> gmail.com>
Cc: alan <at> idiocy.org, mattiase <at> acm.org, 45198 <at> debbugs.gnu.org,
 stefankangas <at> gmail.com, joaotavora <at> gmail.com, monnier <at> iro.umontreal.ca
Subject: Re: bug#45198: 28.0.50; Sandbox mode
Date: Sat, 17 Apr 2021 19:33:05 +0300

> From: Philipp Stephani <p.stephani2 <at> gmail.com>
> Date: Sat, 17 Apr 2021 18:20:15 +0200
> Cc: Mattias Engdegård <mattiase <at> acm.org>, 
> 	João Távora <joaotavora <at> gmail.com>, 
> 	45198 <at> debbugs.gnu.org, Stefan Kangas <stefankangas <at> gmail.com>, 
> 	Stefan Monnier <monnier <at> iro.umontreal.ca>, Alan Third <alan <at> idiocy.org>
> 
> That's a fair statement, and I'll try to answer here (and hopefully
> later in the other thread as well). The sandbox should be able to
> perform operations that are in some sense not security-relevant:
> mostly performing computations, reading some necessary files, and
> writing some diagnostics to standard output. The initial use case can
> be running byte compilation in a Flymake backend. This would allow us
> to enable Flymake byte compilation support by default, even on
> untrusted code, because due to the sandbox that code could never
> perform harmful operations. The Flymake backend would then use the
> high-level sandbox functions to asynchronously start byte compilation
> in a sandbox. The start-sandbox function in turn would launch an Emacs
> subprocess using bwrap or similar to set up appropriate mount
> namespaces and apply a Seccomp filter (in the GNU/Linux case).

Thanks.  I think I understand the general idea, but not how to
translate that into real life.

"Performing computations" in Emacs corresponds to invoking gobs of
system interfaces, and if we are going to filter most of them, I fear
we will get a dysfunctional Emacs.  E.g., cursor blinking requires
accessing the system time, displaying a busy cursor requires interval
timers, profiling requires signals, and you cannot do anything in
Emacs without being able to allocate memory.  If we leave Emacs only
with capabilities to read and write to a couple of descriptors, how
will the result be useful?  Even if Flymake byte compilation can live
in such a sandbox (and I'm not yet certain it can), is that the most
important situation where untrusted code could be run by Emacs?
This bug report was last modified 3 years and 7 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.