Add support for --seccomp command-line option.scratch/seccomp-emacs-open

When passing this option on GNU/Linux, Emacs installs a Secure Computing kernel system call filter. See Bug#45198. * configure.ac: Check for seccomp header. * src/emacs.c (usage_message): Document --seccomp option. (emacs_seccomp): New wrapper for 'seccomp' syscall. (load_seccomp, maybe_load_seccomp): New helper functions. (main): Potentially load seccomp filters during startup. (standard_args): Add --seccomp option. * lisp/startup.el (command-line): Detect and ignore --seccomp option. * test/src/emacs-tests.el (emacs-tests/seccomp/absent-file) (emacs-tests/seccomp/empty-file) (emacs-tests/seccomp/file-too-large) (emacs-tests/seccomp/invalid-file-size): New unit tests. (emacs-tests--with-temp-file): New helper macro. * etc/NEWS: Document new --seccomp option.
author: Philipp Stephani 2020-12-14 21:25:11 +0100
committer: Philipp Stephani 2021-04-10 18:47:26 +0200
commit: be8328acf9aa464f848e682e63e417a18529af9e (patch)
tree: b7f8191920af5e326b2a2feac9ddbeb8551fadba /test
parent: 53dfd85a7f971875e716a55f010ee508bce89eed (diff)
download: emacs-scratch/seccomp-emacs-open.tar.gz
emacs-scratch/seccomp-emacs-open.zip
1 files changed, 131 insertions, 0 deletions
diff --git a/test/src/emacs-tests.el b/test/src/emacs-tests.el
new file mode 100644
index 00000000000..7618a9c6752
--- /dev/null
+++ b/test/src/emacs-tests.el
@@ -0,0 +1,131 @@
+;;; emacs-tests.el --- unit tests for emacs.c -*- lexical-binding: t; -*-
+;; Copyright (C) 2020  Free Software Foundation, Inc.
+;; This file is part of GNU Emacs.
+;; GNU Emacs is free software: you can redistribute it and/or modify
+;; it under the terms of the GNU General Public License as published
+;; by the Free Software Foundation, either version 3 of the License,
+;; or (at your option) any later version.
+;; GNU Emacs is distributed in the hope that it will be useful, but
+;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+;; General Public License for more details.
+;; You should have received a copy of the GNU General Public License
+;; along with GNU Emacs.  If not, see <https://www.gnu.org/licenses/>.
+;;; Commentary:
+;; Unit tests for src/emacs.c.
+;;; Code:
+(require 'cl-lib)
+(require 'ert)
+(require 'rx)
+(ert-deftest emacs-tests/seccomp/absent-file ()
+  (skip-unless (string-match-p (rx bow "SECCOMP" eow)
+                               system-configuration-features))
+  (let ((emacs
+         (expand-file-name invocation-name invocation-directory))
+        (process-environment nil))
+    (skip-unless (file-executable-p emacs))
+    (should-not (file-exists-p "/does-not-exist.bpf"))
+    (should-not
+     (eql (call-process emacs nil nil nil
+                        "--quick" "--batch"
+                        "--seccomp=/does-not-exist.bpf")
+          0))))
+(cl-defmacro emacs-tests--with-temp-file
+    (var (prefix &optional suffix text) &rest body)
+  "Evaluate BODY while a new temporary file exists.
+Bind VAR to the name of the file.  Pass PREFIX, SUFFIX, and TEXT
+to `make-temp-file', which see."
+  (declare (indent 2) (debug (symbolp (form form form) body)))
+  (cl-check-type var symbol)
+  ;; Use an uninterned symbol so that the code still works if BODY
+  ;; changes VAR.
+  (let ((filename (make-symbol "filename")))
+    `(let ((,filename (make-temp-file ,prefix nil ,suffix ,text)))
+       (unwind-protect
+           (let ((,var ,filename))
+             ,@body)
+         (delete-file ,filename)))))
+(ert-deftest emacs-tests/seccomp/empty-file ()
+  (skip-unless (string-match-p (rx bow "SECCOMP" eow)
+                               system-configuration-features))
+  (let ((emacs
+         (expand-file-name invocation-name invocation-directory))
+        (process-environment nil))
+    (skip-unless (file-executable-p emacs))
+    (emacs-tests--with-temp-file filter ("seccomp-invalid-" ".bpf")
+      ;; The --seccomp option is processed early, without filename
+      ;; handlers.  Therefore remote or quoted filenames wouldn't
+      ;; work.
+      (should-not (file-remote-p filter))
+      (cl-callf file-name-unquote filter)
+      ;; According to the Seccomp man page, a filter must have at
+      ;; least one element, so Emacs should reject an empty file.
+      (should-not
+       (eql (call-process emacs nil nil nil
+                          "--quick" "--batch"
+                          (concat "--seccomp=" filter))
+            0)))))
+(ert-deftest emacs-tests/seccomp/file-too-large ()
+  (skip-unless (string-match-p (rx bow "SECCOMP" eow)
+                               system-configuration-features))
+  (let ((emacs
+         (expand-file-name invocation-name invocation-directory))
+        (process-environment nil)
+        ;; This value should be correct on all supported systems.
+        (ushort-max #xFFFF)
+        ;; Either 8 or 16, but 16 should be large enough in all cases.
+        (filter-size 16))
+    (skip-unless (file-executable-p emacs))
+    (emacs-tests--with-temp-file
+        filter ("seccomp-too-large-" ".bpf"
+                (make-string (* (1+ ushort-max) filter-size) ?a))
+      ;; The --seccomp option is processed early, without filename
+      ;; handlers.  Therefore remote or quoted filenames wouldn't
+      ;; work.
+      (should-not (file-remote-p filter))
+      (cl-callf file-name-unquote filter)
+      ;; The filter count must fit into an `unsigned short'.  A bigger
+      ;; file should be rejected.
+      (should-not
+       (eql (call-process emacs nil nil nil
+                          "--quick" "--batch"
+                          (concat "--seccomp=" filter))
+            0)))))
+(ert-deftest emacs-tests/seccomp/invalid-file-size ()
+  (skip-unless (string-match-p (rx bow "SECCOMP" eow)
+                               system-configuration-features))
+  (let ((emacs
+         (expand-file-name invocation-name invocation-directory))
+        (process-environment nil))
+    (skip-unless (file-executable-p emacs))
+    (emacs-tests--with-temp-file filter ("seccomp-invalid-" ".bpf"
+                                         "123456")
+      ;; The --seccomp option is processed early, without filename
+      ;; handlers.  Therefore remote or quoted filenames wouldn't
+      ;; work.
+      (should-not (file-remote-p filter))
+      (cl-callf file-name-unquote filter)
+      ;; The Seccomp filter file must have a file size that's a
+      ;; multiple of the size of struct sock_filter, which is 8 or 16,
+      ;; but never 6.
+      (should-not
+       (eql (call-process emacs nil nil nil
+                          "--quick" "--batch"
+                          (concat "--seccomp=" filter))
+            0)))))
+;;; emacs-tests.el ends here
author	Philipp Stephani	2020-12-14 21:25:11 +0100
committer	Philipp Stephani	2021-04-10 18:47:26 +0200
commit	be8328acf9aa464f848e682e63e417a18529af9e (patch)
tree	b7f8191920af5e326b2a2feac9ddbeb8551fadba /test
parent	53dfd85a7f971875e716a55f010ee508bce89eed (diff)
download	emacs-scratch/seccomp-emacs-open.tar.gz emacs-scratch/seccomp-emacs-open.zip

diff --git a/test/src/emacs-tests.el b/test/src/emacs-tests.el new file mode 100644 index 00000000000..7618a9c6752 --- /dev/null +++ b/test/src/emacs-tests.el
@@ -0,0 +1,131 @@
	1	;;; emacs-tests.el --- unit tests for emacs.c -- lexical-binding: t; --
	2
	3	;; Copyright (C) 2020 Free Software Foundation, Inc.
	4
	5	;; This file is part of GNU Emacs.
	6
	7	;; GNU Emacs is free software: you can redistribute it and/or modify
	8	;; it under the terms of the GNU General Public License as published
	9	;; by the Free Software Foundation, either version 3 of the License,
	10	;; or (at your option) any later version.
	11
	12	;; GNU Emacs is distributed in the hope that it will be useful, but
	13	;; WITHOUT ANY WARRANTY; without even the implied warranty of
	14	;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	15	;; General Public License for more details.
	16
	17	;; You should have received a copy of the GNU General Public License
	18	;; along with GNU Emacs. If not, see <https://www.gnu.org/licenses/>.
	19
	20	;;; Commentary:
	21
	22	;; Unit tests for src/emacs.c.
	23
	24	;;; Code:
	25
	26	(require 'cl-lib)
	27	(require 'ert)
	28	(require 'rx)
	29
	30	(ert-deftest emacs-tests/seccomp/absent-file ()
	31	(skip-unless (string-match-p (rx bow "SECCOMP" eow)
	32	system-configuration-features))
	33	(let ((emacs
	34	(expand-file-name invocation-name invocation-directory))
	35	(process-environment nil))
	36	(skip-unless (file-executable-p emacs))
	37	(should-not (file-exists-p "/does-not-exist.bpf"))
	38	(should-not
	39	(eql (call-process emacs nil nil nil
	40	"--quick" "--batch"
	41	"--seccomp=/does-not-exist.bpf")
	42	0))))
	43
	44	(cl-defmacro emacs-tests--with-temp-file
	45	(var (prefix &optional suffix text) &rest body)
	46	"Evaluate BODY while a new temporary file exists.
	47	Bind VAR to the name of the file. Pass PREFIX, SUFFIX, and TEXT
	48	to `make-temp-file', which see."
	49	(declare (indent 2) (debug (symbolp (form form form) body)))
	50	(cl-check-type var symbol)
	51	;; Use an uninterned symbol so that the code still works if BODY
	52	;; changes VAR.
	53	(let ((filename (make-symbol "filename")))
	54	`(let ((,filename (make-temp-file ,prefix nil ,suffix ,text)))
	55	(unwind-protect
	56	(let ((,var ,filename))
	57	,@body)
	58	(delete-file ,filename)))))
	59
	60	(ert-deftest emacs-tests/seccomp/empty-file ()
	61	(skip-unless (string-match-p (rx bow "SECCOMP" eow)
	62	system-configuration-features))
	63	(let ((emacs
	64	(expand-file-name invocation-name invocation-directory))
	65	(process-environment nil))
	66	(skip-unless (file-executable-p emacs))
	67	(emacs-tests--with-temp-file filter ("seccomp-invalid-" ".bpf")
	68	;; The --seccomp option is processed early, without filename
	69	;; handlers. Therefore remote or quoted filenames wouldn't
	70	;; work.
	71	(should-not (file-remote-p filter))
	72	(cl-callf file-name-unquote filter)
	73	;; According to the Seccomp man page, a filter must have at
	74	;; least one element, so Emacs should reject an empty file.
	75	(should-not
	76	(eql (call-process emacs nil nil nil
	77	"--quick" "--batch"
	78	(concat "--seccomp=" filter))
	79	0)))))
	80
	81	(ert-deftest emacs-tests/seccomp/file-too-large ()
	82	(skip-unless (string-match-p (rx bow "SECCOMP" eow)
	83	system-configuration-features))
	84	(let ((emacs
	85	(expand-file-name invocation-name invocation-directory))
	86	(process-environment nil)
	87	;; This value should be correct on all supported systems.
	88	(ushort-max #xFFFF)
	89	;; Either 8 or 16, but 16 should be large enough in all cases.
	90	(filter-size 16))
	91	(skip-unless (file-executable-p emacs))
	92	(emacs-tests--with-temp-file
	93	filter ("seccomp-too-large-" ".bpf"
	94	(make-string (* (1+ ushort-max) filter-size) ?a))
	95	;; The --seccomp option is processed early, without filename
	96	;; handlers. Therefore remote or quoted filenames wouldn't
	97	;; work.
	98	(should-not (file-remote-p filter))
	99	(cl-callf file-name-unquote filter)
	100	;; The filter count must fit into an `unsigned short'. A bigger
	101	;; file should be rejected.
	102	(should-not
	103	(eql (call-process emacs nil nil nil
	104	"--quick" "--batch"
	105	(concat "--seccomp=" filter))
	106	0)))))
	107
	108	(ert-deftest emacs-tests/seccomp/invalid-file-size ()
	109	(skip-unless (string-match-p (rx bow "SECCOMP" eow)
	110	system-configuration-features))
	111	(let ((emacs
	112	(expand-file-name invocation-name invocation-directory))
	113	(process-environment nil))
	114	(skip-unless (file-executable-p emacs))
	115	(emacs-tests--with-temp-file filter ("seccomp-invalid-" ".bpf"
	116	"123456")
	117	;; The --seccomp option is processed early, without filename
	118	;; handlers. Therefore remote or quoted filenames wouldn't
	119	;; work.
	120	(should-not (file-remote-p filter))
	121	(cl-callf file-name-unquote filter)
	122	;; The Seccomp filter file must have a file size that's a
	123	;; multiple of the size of struct sock_filter, which is 8 or 16,
	124	;; but never 6.
	125	(should-not
	126	(eql (call-process emacs nil nil nil
	127	"--quick" "--batch"
	128	(concat "--seccomp=" filter))
	129	0)))))
	130
	131	;;; emacs-tests.el ends here