bug-gnu-emacs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#45198: 28.0.50; Sandbox mode

From: Eli Zaretskii
Subject: bug#45198: 28.0.50; Sandbox mode
Date: Sun, 18 Apr 2021 12:23:20 +0300 
> From: Philipp Stephani <p.stephani2@gmail.com>
> Date: Sun, 18 Apr 2021 11:11:28 +0200
> Cc: Mattias Engdegård <mattiase@acm.org>, 
>       João Távora <joaotavora@gmail.com>, 
>       45198@debbugs.gnu.org, Stefan Kangas <stefankangas@gmail.com>, 
>       Stefan Monnier <monnier@iro.umontreal.ca>, Alan Third <alan@idiocy.org>
> 
> > > >  And what about users who make local changes
> > > > in their Emacs?
> > >
> > > They can provide their own Seccomp policies or modify the ones included 
> > > in Emacs.
> >
> > What does providing a policy entail? can you describe the procedure of
> > tailoring a policy to changes in the Emacs code?
> 
> 1. Run the Emacs sandbox with the code you want to run.
> 2. Emacs will crash with SIGSYS if it hits a forbidden/unknown
> syscall. Ensure that this generates a coredump.
> 3. Check the backtrace for the coredump (e.g. coredumpctl debug)
> and/or the Seccomp audit logs (ausearch) for the syscall that
> triggered the signal.
> 4. Add a rule for the syscall and its arguments to the BPF generation
> program, e.g. lib-src/seccom-filter.c.
> 5. Regenerate the BPF rule file.

Sounds complicated, and requires non-trivial low-level knowledge and
tools.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]