[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Tue, 13 Apr 2021 17:35:32 +0300
I'm not sure I understand the user-level aspects of this feature. Or
is this not a user-level feature?
The NEWS entry says:
** Emacs now supports loading a Secure Computing filter.
This is supported only on capable GNU/Linux systems. To activate,
invoke Emacs with the '--seccomp=FILE' command-line option. FILE must
name a binary file containing an array of 'struct sock_filter'
structures. Emacs will then install that list of Secure Computing
filters into its own process early during the startup process. You
can use this functionality to put an Emacs process in a sandbox to
avoid security issues when executing untrusted code. See the manual
page for 'seccomp' system call, for details about Secure Computing
Let's say I have an untrusted Lisp package that I want to sandbox --
what is the procedure to follow?
AFAIU, just running Emacs in seccomp mode is maybe safe, but not very
useful: Emacs will be almost instantly killed, as soon as the suspect
package tries to do anything at all. Right?
This means I would need to prepare a filter file. But how to know
which system calls to allow and under what conditions, given a Lisp
source code of a particular package? And how to proceed with building
the filter file even if I know which syscalls I want to block?
I have read the seccomp man pages, but these questions are still
unanswered. I wonder how will we be able to document this facility
when the time comes.
|[Prev in Thread]
||[Next in Thread]|
Eli Zaretskii <=