Add a variant of the Seccomp filter file that allows 'execve'.

This is useful when starting Emacs with a Seccomp filter enabled, e.g. using 'bwrap'. * lib-src/seccomp-filter.c (main): Generate new Seccomp files. * lib-src/Makefile.in (all) (seccomp-filter.bpf seccomp-filter.pfc seccomp-filter-exec.bpf seccomp-filter-exec.pfc): Generate new Seccomp files. * .gitignore: Ignore new Seccomp files. * test/src/emacs-tests.el (emacs-tests/bwrap/allows-stdout): New unit test.
author: Philipp Stephani 2021-04-11 19:47:36 +0200
committer: Philipp Stephani 2021-04-11 21:19:09 +0200
commit: c8d542fd593f06b85d4b7b712378a4f84ec4d2b3 (patch)
tree: c2368357e6a417f4d7441e8eec13ee1ffc71b2d2 /test/src
parent: cf0701eff0f3b06e0324be07f7810cbaf261f7f3 (diff)
download: emacs-c8d542fd593f06b85d4b7b712378a4f84ec4d2b3.tar.gz
emacs-c8d542fd593f06b85d4b7b712378a4f84ec4d2b3.zip
2 files changed, 34 insertions, 0 deletions
diff --git a/test/src/emacs-resources/seccomp-filter-exec.bpf b/test/src/emacs-resources/seccomp-filter-exec.bpf
new file mode 120000
index 00000000000..5b0e9978221
--- /dev/null
+++ b/test/src/emacs-resources/seccomp-filter-exec.bpf
@@ -0,0 +1 @@
+../../../lib-src/seccomp-filter-exec.bpf
+\ No newline at end of file
diff --git a/test/src/emacs-tests.el b/test/src/emacs-tests.el
index 89d811f8b4e..09f9a248efb 100644
--- a/test/src/emacs-tests.el
+++ b/test/src/emacs-tests.el
@@ -177,4 +177,37 @@ to `make-temp-file', which see."
        (ert-info ((format "Process output: %s" (buffer-string)))
          (should-not (eql status 0)))))))
+(ert-deftest emacs-tests/bwrap/allows-stdout ()
+  (let ((bash (executable-find "bash"))
+        (bwrap (executable-find "bwrap"))
+        (emacs
+         (expand-file-name invocation-name invocation-directory))
+        (filter (ert-resource-file "seccomp-filter-exec.bpf"))
+        (process-environment nil))
+    (skip-unless bash)
+    (skip-unless bwrap)
+    (skip-unless (file-executable-p emacs))
+    (skip-unless (file-readable-p filter))
+    (should-not (file-remote-p bwrap))
+    (should-not (file-remote-p emacs))
+    (should-not (file-remote-p filter))
+    (with-temp-buffer
+      (let* ((command
+              (concat
+               (mapconcat #'shell-quote-argument
+                          `(,(file-name-unquote bwrap)
+                            "--ro-bind" "/" "/"
+                            "--seccomp" "20"
+                            "--"
+                            ,(file-name-unquote emacs)
+                            "--quick" "--batch"
+                            ,(format "--eval=%S" '(message "Hi")))
+                          " ")
+               " 20< "
+               (shell-quote-argument (file-name-unquote filter))))
+             (status (call-process bash nil t nil "-c" command)))
+        (ert-info ((format "Process output: %s" (buffer-string)))
+          (should (eql status 0)))
+        (should (equal (string-trim (buffer-string)) "Hi"))))))
 ;;; emacs-tests.el ends here
author	Philipp Stephani	2021-04-11 19:47:36 +0200
committer	Philipp Stephani	2021-04-11 21:19:09 +0200
commit	c8d542fd593f06b85d4b7b712378a4f84ec4d2b3 (patch)
tree	c2368357e6a417f4d7441e8eec13ee1ffc71b2d2 /test/src
parent	cf0701eff0f3b06e0324be07f7810cbaf261f7f3 (diff)
download	emacs-c8d542fd593f06b85d4b7b712378a4f84ec4d2b3.tar.gz emacs-c8d542fd593f06b85d4b7b712378a4f84ec4d2b3.zip

diff --git a/test/src/emacs-resources/seccomp-filter-exec.bpf b/test/src/emacs-resources/seccomp-filter-exec.bpf new file mode 120000 index 00000000000..5b0e9978221 --- /dev/null +++ b/test/src/emacs-resources/seccomp-filter-exec.bpf
@@ -0,0 +1 @@
			../../../lib-src/seccomp-filter-exec.bpf \ No newline at end of file


diff --git a/test/src/emacs-tests.el b/test/src/emacs-tests.el index 89d811f8b4e..09f9a248efb 100644 --- a/test/src/emacs-tests.el +++ b/test/src/emacs-tests.el
@@ -177,4 +177,37 @@ to `make-temp-file', which see."
177	(ert-info ((format "Process output: %s" (buffer-string)))	177	(ert-info ((format "Process output: %s" (buffer-string)))
178	(should-not (eql status 0)))))))	178	(should-not (eql status 0)))))))
179		179
		180	(ert-deftest emacs-tests/bwrap/allows-stdout ()
		181	(let ((bash (executable-find "bash"))
		182	(bwrap (executable-find "bwrap"))
		183	(emacs
		184	(expand-file-name invocation-name invocation-directory))
		185	(filter (ert-resource-file "seccomp-filter-exec.bpf"))
		186	(process-environment nil))
		187	(skip-unless bash)
		188	(skip-unless bwrap)
		189	(skip-unless (file-executable-p emacs))
		190	(skip-unless (file-readable-p filter))
		191	(should-not (file-remote-p bwrap))
		192	(should-not (file-remote-p emacs))
		193	(should-not (file-remote-p filter))
		194	(with-temp-buffer
		195	(let* ((command
		196	(concat
		197	(mapconcat #'shell-quote-argument
		198	`(,(file-name-unquote bwrap)
		199	"--ro-bind" "/" "/"
		200	"--seccomp" "20"
		201	"--"
		202	,(file-name-unquote emacs)
		203	"--quick" "--batch"
		204	,(format "--eval=%S" '(message "Hi")))
		205	" ")
		206	" 20< "
		207	(shell-quote-argument (file-name-unquote filter))))
		208	(status (call-process bash nil t nil "-c" command)))
		209	(ert-info ((format "Process output: %s" (buffer-string)))
		210	(should (eql status 0)))
		211	(should (equal (string-trim (buffer-string)) "Hi"))))))
		212
180	;;; emacs-tests.el ends here	213	;;; emacs-tests.el ends here