Without this patch, Ubuntu 22.04.1 x86-64 "make check" reports a
failure in test/src/emacs-tests.el’s
emacs-tests/bwrap/allows-stdout. One can reproduce the bug
without using the Emacs executable, by running this script:
#!/bin/bash
export LC_ALL=C
exec strace -f -o /tmp/tr bwrap --ro-bind / / --seccomp 20 -- \
cat /dev/null 20< lib-src/seccomp-filter-exec.bpf
This script exits with status 159, because "cat" didn’t get
started (it got a SIGSYS signal early on).
The command "journalctl -g SECCOMP" indicated that rseq (syscall
334) was the problem. This syscall is issued by
/lib64/ld-linux-x86-64.so.2 before ‘main’ is called.
There’s another problem with the clone3 syscall, which is used by
pthread_create starting in glibc 2.34. pthread_create is called
by g_child_watch_source_new, which is called by
init_process_emacs.
* lib-src/seccomp-filter.c (main): Allow rseq, clone3. This
causes the test to pass. Perhaps a fancier, more accurate patch
could be written by someone who has the time.
Prefer static_assert in just one file for now; the idea is to do
it elsewhere eventually. static_assert is standard (starting with
C23) whereas verify is not, and static_assert can be used even in
pre-C23 files due to Gnulib’s support for it.
* lib-src/seccomp-filter.c: Do not include verify.h.
Prefer static_assert to verify.
C23 is adding the C++ keywords bool, true, and false;
prefer them to <stdbool.h> if they are available.
* admin/merge-gnulib (GNULIB_MODULES):
Add stdbool, which emulates C23 on pre-C23 platforms.
(AVOIDED_MODULES): Remove stdbool; Gnulib has renamed
this module to stdbool-c99 and nobody uses it so it does
not need to be avoided.
* m4/c-bool.m4: New file, from Gnulib stdbool module.
* lib-src/seccomp-filter.c, src/conf_post.h, src/dynlib.h:
* src/emacs-module.c, src/nsterm.m, src/systhread.h:
* test/src/emacs-module-resources/mod-test.c:
Use the C23 style and use bool without including <stdbool.h>.
The Gnulib stdbool module causes config.h to include stdbool.h
on pre-C23 platforms.
* src/emacs-module.h.in:
Don’t include <stdbool.h> if C23 or later, or if
it has already been included.
This is because mod-test.c shouldn’t use source code from lib,
but it does need to include <config.h>.
* lib-src/ebrowse.c, lib-src/emacsclient.c, lib-src/etags.c:
* lib-src/make-docfile.c, lib-src/movemail.c:
* lib-src/seccomp-filter.c, src/dynlib.h, src/lisp.h:
* src/syssignal.h, src/sysstdio.h, src/systhread.h, src/tparam.h:
Include <attribute.h>.
* src/conf_post.h: Do not include <attribute.h>.
All uses of attribute.h macros replaced with their _GL_ equivalents.
* lib-src/seccomp-filter.c (main): Allow 'pread64' and 'faccessat2'
system calls. Newer versions of glibc use these system call (starting
with commits 95c1056962a3f2297c94ce47f0eaf0c5b6563231 and
3d3ab573a5f3071992cbc4f57d50d1d29d55bde2, respectively).
On some systems, process startup calls prctl(PR_CAPBSET_READ) via
'cap_get_bound'. We can just return EINVAL.
* lib-src/seccomp-filter.c (main): Add a rule for
prctl(PR_CAPBSET_READ, ...).
Casting NULL is not a constant expression (Bug#47951).
* lib-src/seccomp-filter.c (main): Turn check for null pointer
representation into a runtime assertion.
This is useful when starting Emacs with a Seccomp filter enabled,
e.g. using 'bwrap'.
* lib-src/seccomp-filter.c (main): Generate new Seccomp files.
* lib-src/Makefile.in (all)
(seccomp-filter.bpf seccomp-filter.pfc seccomp-filter-exec.bpf
seccomp-filter-exec.pfc): Generate new Seccomp files.
* .gitignore: Ignore new Seccomp files.
* test/src/emacs-tests.el (emacs-tests/bwrap/allows-stdout): New unit
test.
The binary uses the 'seccomp' helper library. The library isn't
needed to load the generated Secure Computing filter.
* configure.ac: Check for 'seccomp' header and library.
* lib-src/seccomp-filter.c: New helper binary to generate a generic
Secure Computing filter for GNU/Linux.
* lib-src/Makefile.in (DONT_INSTALL): Add 'seccomp-filter' helper
binary if possible.
(all): Add Secure Computing filter file if possible.
(seccomp-filter$(EXEEXT)): Compile helper binary.
(seccomp-filter.bpf seccomp-filter.pfc): Generate filter files.
* test/src/emacs-tests.el (emacs-tests/seccomp/allows-stdout)
(emacs-tests/seccomp/forbids-subprocess): New unit tests.
* test/Makefile.in (src/emacs-tests.log): Add dependency on the helper
binary.
