bug#45198: 28.0.50; Sandbox mode

[Philipp Stephani]

Am Sa., 19. Dez. 2020 um 19:18 Uhr schrieb Philipp Stephani
<p.stephani2@gmail.com>:
>
> Am Mo., 14. Dez. 2020 um 12:05 Uhr schrieb Philipp Stephani
> <p.stephani2@gmail.com>:
> >
> > > >> - This will need someone else doing the implementation.
> > > > Looks like we already have a volunteer for macOS.
> > > > For Linux, this shouldn't be that difficult either. The sandbox needs
> > > > to install a mount namespace that only allows read access to Emacs's
> > > > installation directory plus any input file and write access to known
> > > > output files, and enable syscall filters that forbid everything except
> > > > a list of known-safe syscalls (especially exec). I can take a stab at
> > > > that, but I can't promise anything ;-)
> > >
> > > Looking forward to it.
> > >
> >
> > I've looked into this, and what I'd suggest for now is:
> > 1. Add a --seccomp=FILE command-line option that loads seccomp filters
> > from FILE and applies them directly after startup (first thing in
> > main). Why do this in Emacs? Because that's the easiest way to prevent
> > execve. When installing a seccomp filter in a separate process, execve
> > needs to be allowed because otherwise there'd be no way to execute the
> > Emacs binary. While there are workarounds (ptrace, LD_PRELOAD), it's
> > easiest to install the seccomp filter directly in the Emacs process.
>
> I've attached a patch for this.

I've verified that a slight variant of this patch doesn't break either
the Windows or macOS builds, and pushed it to master as commit
be8328acf9aa464f848e682e63e417a18529af9e.