| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
|
| |
Be more systematic about putting space before paren in calls,
and in avoiding unnecessary parentheses in macros.
This was partly inspired by my wading through gcc -E output
while debugging something else, and seeing too many parens.
This patch does not change the generated .o files on my platform.
|
| | |
|
| | |
|
| |
|
|
| |
* lib-src/seccomp-filter.c (main): Allow pidfd_open system call
|
| |
|
|
|
| |
* lib-src/seccomp-filter.c (main): gettid is necessary on RHEL 9.0
(bug#56359).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Without this patch, Ubuntu 22.04.1 x86-64 "make check" reports a
failure in test/src/emacs-tests.el’s
emacs-tests/bwrap/allows-stdout. One can reproduce the bug
without using the Emacs executable, by running this script:
#!/bin/bash
export LC_ALL=C
exec strace -f -o /tmp/tr bwrap --ro-bind / / --seccomp 20 -- \
cat /dev/null 20< lib-src/seccomp-filter-exec.bpf
This script exits with status 159, because "cat" didn’t get
started (it got a SIGSYS signal early on).
The command "journalctl -g SECCOMP" indicated that rseq (syscall
334) was the problem. This syscall is issued by
/lib64/ld-linux-x86-64.so.2 before ‘main’ is called.
There’s another problem with the clone3 syscall, which is used by
pthread_create starting in glibc 2.34. pthread_create is called
by g_child_watch_source_new, which is called by
init_process_emacs.
* lib-src/seccomp-filter.c (main): Allow rseq, clone3. This
causes the test to pass. Perhaps a fancier, more accurate patch
could be written by someone who has the time.
|
| |
|
|
|
| |
* lib-src/seccomp-filter.c (fail): Do not truncate diagnostic
arbitrarily to 1000 bytes when ERROR is nonzero.
|
| |
|
|
|
|
|
|
|
| |
Prefer static_assert in just one file for now; the idea is to do
it elsewhere eventually. static_assert is standard (starting with
C23) whereas verify is not, and static_assert can be used even in
pre-C23 files due to Gnulib’s support for it.
* lib-src/seccomp-filter.c: Do not include verify.h.
Prefer static_assert to verify.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
C23 is adding the C++ keywords bool, true, and false;
prefer them to <stdbool.h> if they are available.
* admin/merge-gnulib (GNULIB_MODULES):
Add stdbool, which emulates C23 on pre-C23 platforms.
(AVOIDED_MODULES): Remove stdbool; Gnulib has renamed
this module to stdbool-c99 and nobody uses it so it does
not need to be avoided.
* m4/c-bool.m4: New file, from Gnulib stdbool module.
* lib-src/seccomp-filter.c, src/conf_post.h, src/dynlib.h:
* src/emacs-module.c, src/nsterm.m, src/systhread.h:
* test/src/emacs-module-resources/mod-test.c:
Use the C23 style and use bool without including <stdbool.h>.
The Gnulib stdbool module causes config.h to include stdbool.h
on pre-C23 platforms.
* src/emacs-module.h.in:
Don’t include <stdbool.h> if C23 or later, or if
it has already been included.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This is because mod-test.c shouldn’t use source code from lib,
but it does need to include <config.h>.
* lib-src/ebrowse.c, lib-src/emacsclient.c, lib-src/etags.c:
* lib-src/make-docfile.c, lib-src/movemail.c:
* lib-src/seccomp-filter.c, src/dynlib.h, src/lisp.h:
* src/syssignal.h, src/sysstdio.h, src/systhread.h, src/tparam.h:
Include <attribute.h>.
* src/conf_post.h: Do not include <attribute.h>.
All uses of attribute.h macros replaced with their _GL_ equivalents.
|
| | |
|
| |
|
|
|
|
|
| |
* lib-src/seccomp-filter.c (main): Allow 'pread64' and 'faccessat2'
system calls. Newer versions of glibc use these system call (starting
with commits 95c1056962a3f2297c94ce47f0eaf0c5b6563231 and
3d3ab573a5f3071992cbc4f57d50d1d29d55bde2, respectively).
|
| | |
|
| |
|
|
|
|
|
|
| |
On some systems, process startup calls prctl(PR_CAPBSET_READ) via
'cap_get_bound'. We can just return EINVAL.
* lib-src/seccomp-filter.c (main): Add a rule for
prctl(PR_CAPBSET_READ, ...).
|
| |
|
|
|
| |
* lib-src/seccomp-filter.c (export_filter): Remove use of
nonstandard macro TEMP_FAILURE_RETRY.
|
| |
|
|
|
|
|
| |
Casting NULL is not a constant expression (Bug#47951).
* lib-src/seccomp-filter.c (main): Turn check for null pointer
representation into a runtime assertion.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The dynamic loader of GNU libc 2.28 uses this system call to
initialize CPU information, see
https://sourceware.org/git/?p=glibc.git;a=blob;f=sysdeps/unix/sysv/linux/x86/cpu-features.c;hb=glibc-2.28#l28.
Simulating an older kernel by returning EINVAL should be the most
harmless rule here.
The ARCH_CET_STATUS symbol isn't yet exposed by the kernel headers;
see the FIXME at the top of
https://sourceware.org/git/?p=glibc.git;a=blob;f=sysdeps/unix/sysv/linux/x86/include/asm/prctl.h;hb=glibc-2.28.
* lib-src/seccomp-filter.c (ARCH_CET_STATUS): Define if not
already present. Inline the value because there doesn't seem to
be a header file exporting this constant yet.
(main): Make ARCH_CET_STATUS subfunction of arch_prctl return EINVAL.
|
| |
|
|
| |
* lib-src/seccomp-filter.c (main): mmap: Also allow MAP_SHARED.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is useful when starting Emacs with a Seccomp filter enabled,
e.g. using 'bwrap'.
* lib-src/seccomp-filter.c (main): Generate new Seccomp files.
* lib-src/Makefile.in (all)
(seccomp-filter.bpf seccomp-filter.pfc seccomp-filter-exec.bpf
seccomp-filter-exec.pfc): Generate new Seccomp files.
* .gitignore: Ignore new Seccomp files.
* test/src/emacs-tests.el (emacs-tests/bwrap/allows-stdout): New unit
test.
|
| | |
|
| |
|
|
| |
* lib-src/seccomp-filter.c (main): Allow reading the current time.
|
| |
|
|
|
|
|
| |
Whether or not we log failing syscalls isn't security-critical, and we
shouldn't care.
* lib-src/seccomp-filter.c (main): Remove log attribute.
|
| | |
|
| | |
|
|
|
The binary uses the 'seccomp' helper library. The library isn't
needed to load the generated Secure Computing filter.
* configure.ac: Check for 'seccomp' header and library.
* lib-src/seccomp-filter.c: New helper binary to generate a generic
Secure Computing filter for GNU/Linux.
* lib-src/Makefile.in (DONT_INSTALL): Add 'seccomp-filter' helper
binary if possible.
(all): Add Secure Computing filter file if possible.
(seccomp-filter$(EXEEXT)): Compile helper binary.
(seccomp-filter.bpf seccomp-filter.pfc): Generate filter files.
* test/src/emacs-tests.el (emacs-tests/seccomp/allows-stdout)
(emacs-tests/seccomp/forbids-subprocess): New unit tests.
* test/Makefile.in (src/emacs-tests.log): Add dependency on the helper
binary.
|
