bug-gnu-emacs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#45198: 28.0.50; Sandbox mode

From: Philipp Stephani
Subject: bug#45198: 28.0.50; Sandbox mode
Date: Sat, 10 Apr 2021 21:11:04 +0200 
Am Sa., 19. Dez. 2020 um 23:22 Uhr schrieb Philipp Stephani
<p.stephani2@gmail.com>:
>
> Am Mo., 14. Dez. 2020 um 12:05 Uhr schrieb Philipp Stephani
> <p.stephani2@gmail.com>:
>
> > > >> - This will need someone else doing the implementation.
> > > > Looks like we already have a volunteer for macOS.
> > > > For Linux, this shouldn't be that difficult either. The sandbox needs
> > > > to install a mount namespace that only allows read access to Emacs's
> > > > installation directory plus any input file and write access to known
> > > > output files, and enable syscall filters that forbid everything except
> > > > a list of known-safe syscalls (especially exec). I can take a stab at
> > > > that, but I can't promise anything ;-)
> > >
> > > Looking forward to it.
> > >
> >
> > I've looked into this, and what I'd suggest for now is:
> > […]
> > 2. Generate appropriate seccomp filters using libseccomp or similar.
>
> Here's a patch for this step.

I've now pushed a variant of this patch as commit
1060289f51ee1bf269bb45940892eb272d35af97, after verifying that it
doesn't break the macOS or Windows builds.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]