bug#45198: 28.0.50; Sandbox mode

bug-gnu-emacs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#45198: 28.0.50; Sandbox mode

From:	Philipp Stephani
Subject:	bug#45198: 28.0.50; Sandbox mode
Date:	Sat, 19 Dec 2020 23:22:08 +0100

Am Mo., 14. Dez. 2020 um 12:05 Uhr schrieb Philipp Stephani
<p.stephani2@gmail.com>:

> > >> - This will need someone else doing the implementation.
> > > Looks like we already have a volunteer for macOS.
> > > For Linux, this shouldn't be that difficult either. The sandbox needs
> > > to install a mount namespace that only allows read access to Emacs's
> > > installation directory plus any input file and write access to known
> > > output files, and enable syscall filters that forbid everything except
> > > a list of known-safe syscalls (especially exec). I can take a stab at
> > > that, but I can't promise anything ;-)
> >
> > Looking forward to it.
> >
>
> I've looked into this, and what I'd suggest for now is:
> […]
> 2. Generate appropriate seccomp filters using libseccomp or similar.

Here's a patch for this step.

0002-Add-a-helper-binary-to-create-a-basic-Secure-Computi.patch
Description: Text Data

[Prev in Thread]

Current Thread

[Next in Thread]

bug#45198: 28.0.50; Sandbox mode, (continued)

Prev by Date: bug#44611: Prefix arg for xref-goto-xref
Next by Date: bug#44611: Prefix arg for xref-goto-xref
Previous by thread: bug#45198: 28.0.50; Sandbox mode
Next by thread: bug#45198: 28.0.50; Sandbox mode
Index(es):
- Date
- Thread