GNU bug report logs - #45198
28.0.50; Sandbox mode

Previous Next

Full log

Message #227 received at 45198 <at> debbugs.gnu.org (full text, mbox):

From: Eli Zaretskii <eliz <at> gnu.org>
To: Stefan Monnier <monnier <at> iro.umontreal.ca>
Cc: alan <at> idiocy.org, mattiase <at> acm.org, 45198 <at> debbugs.gnu.org, stefan <at> marxist.se,
 p.stephani2 <at> gmail.com, joaotavora <at> gmail.com
Subject: Re: bug#45198: 28.0.50; Sandbox mode
Date: Sat, 17 Apr 2021 21:15:40 +0300

> From: Stefan Monnier <monnier <at> iro.umontreal.ca>
> Cc: mattiase <at> acm.org,  joaotavora <at> gmail.com,  p.stephani2 <at> gmail.com,
>   stefan <at> marxist.se,  45198 <at> debbugs.gnu.org,  alan <at> idiocy.org
> Date: Sat, 17 Apr 2021 13:53:34 -0400
> 
> >> My primary target is `elisp-flymake--batch-compile-for-flymake`.
> > What does that mean in practice? what does that "target" require?
> 
> It needs to take untrusted ELisp code and run it (with no need for user
> interaction) in a way that doesn't introduce any security risk.

That's too general to allow any meaningful discussion, in particular
whether seccomp could be the basis for satisfying those requirements.

> Currently the code starts a new Emacs process in batch mode and lets it
> do whatever it wants, with all the security problems this entails.
> 
> Normally, this untrusted ELisp code (the one present within
> `eval-when-compile` and macros defined within the file) limits itself to
> quite simple sexp manipulation, so the sandboxing can be quite
> restrictive, disallowing things like user interaction, uses of
> subprocesses, or writing to files.

How is this different from byte-compiling some code, e.g. one
downloaded from some elpa?

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.