GNU bug report logs - #43071
Enable WebKit sandboxing

Previous Next

Package: emacs;

Reported by: Paul Eggert <eggert <at> cs.ucla.edu>

Date: Thu, 27 Aug 2020 13:15:02 UTC

Severity: normal

Tags: patch, security

Done: Paul Eggert <eggert <at> cs.ucla.edu>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 43071 in the body.
You can then email your comments to 43071 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to bug-gnu-emacs <at> gnu.org:
bug#43071; Package emacs. (Thu, 27 Aug 2020 13:15:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Paul Eggert <eggert <at> cs.ucla.edu>:
New bug report received and forwarded. Copy sent to bug-gnu-emacs <at> gnu.org. (Thu, 27 Aug 2020 13:15:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Paul Eggert <eggert <at> cs.ucla.edu>
To: Emacs bug reports and feature requests <bug-gnu-emacs <at> gnu.org>
Cc: Robert Pluim <rpluim <at> gmail.com>,
 Jimmy Aguilar Mena <kratsbinovish <at> gmail.com>, Jaesup Kwak <veshboo <at> gmail.com>,
 Qiantan Hong <qhong <at> mit.edu>, Sungbin Jo <pcr910303 <at> icloud.com>
Subject: Enable WebKit sandboxing
Date: Thu, 27 Aug 2020 06:14:37 -0700
[Message part 1 (text/plain, inline)]
Qiantan Hong suggested that Emacs should enable sandboxing in WebKit, for all 
the usual security reasons. (Thanks, Qiantan!)

Attached is a proposed patch to implement that suggestion; it's a bit fancier 
than what Qiantan originally proposed in 
<https://lists.gnu.org/r/emacs-devel/2020-08/msg00896.html> because it checks 
that WebKit 2.26 or later is in use, and it avoids a duplicate call to 
webkit_web_context_get_default. I'm cc'ing this to Qiantan and to other recent 
committers to xwidget.c, to get their opinions.
[0001-Use-WebKit-sandboxing.patch (text/x-patch, attachment)]

Added tag(s) patch. Request was from Paul Eggert <eggert <at> cs.ucla.edu> to control <at> debbugs.gnu.org. (Thu, 27 Aug 2020 13:19:02 GMT) Full text and rfc822 format available.

Information forwarded to bug-gnu-emacs <at> gnu.org:
bug#43071; Package emacs. (Thu, 27 Aug 2020 13:43:02 GMT) Full text and rfc822 format available.

Message #10 received at 43071 <at> debbugs.gnu.org (full text, mbox):

From: Stefan Kangas <stefankangas <at> gmail.com>
To: Paul Eggert <eggert <at> cs.ucla.edu>, 43071 <at> debbugs.gnu.org
Cc: Robert Pluim <rpluim <at> gmail.com>,
 Jimmy Aguilar Mena <kratsbinovish <at> gmail.com>, Jaesup Kwak <veshboo <at> gmail.com>,
 Qiantan Hong <qhong <at> mit.edu>, Sungbin Jo <pcr910303 <at> icloud.com>
Subject: Re: bug#43071: Enable WebKit sandboxing
Date: Thu, 27 Aug 2020 06:41:57 -0700
Paul Eggert <eggert <at> cs.ucla.edu> writes:

> Qiantan Hong suggested that Emacs should enable sandboxing in WebKit, for all
> the usual security reasons. (Thanks, Qiantan!)
>
> Attached is a proposed patch to implement that suggestion; it's a bit fancier
> than what Qiantan originally proposed in
> <https://lists.gnu.org/r/emacs-devel/2020-08/msg00896.html> because it checks
> that WebKit 2.26 or later is in use, and it avoids a duplicate call to
> webkit_web_context_get_default. I'm cc'ing this to Qiantan and to other recent
> committers to xwidget.c, to get their opinions.

Thanks Qiantan Hong and Paul Eggert.

Is this important enough to warrant backporting to emacs-26?




Information forwarded to bug-gnu-emacs <at> gnu.org:
bug#43071; Package emacs. (Thu, 27 Aug 2020 18:15:02 GMT) Full text and rfc822 format available.

Message #13 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Jimmy Aguilar Mena <kratsbinovish <at> gmail.com>
To: Paul Eggert <eggert <at> cs.ucla.edu>
Cc: Emacs bug reports and feature requests <bug-gnu-emacs <at> gnu.org>,
 Qiantan Hong <qhong <at> mit.edu>, Jaesup Kwak <veshboo <at> gmail.com>,
 Robert Pluim <rpluim <at> gmail.com>, Sungbin Jo <pcr910303 <at> icloud.com>
Subject: Re: Enable WebKit sandboxing
Date: Thu, 27 Aug 2020 20:14:25 +0200
[Message part 1 (text/plain, inline)]
It looks fine for me.

Maybe it should be added as a security patch for the 27.* branch.

On Thu, 27 Aug 2020 at 15:14, Paul Eggert <eggert <at> cs.ucla.edu> wrote:

> Qiantan Hong suggested that Emacs should enable sandboxing in WebKit, for
> all
> the usual security reasons. (Thanks, Qiantan!)
>
> Attached is a proposed patch to implement that suggestion; it's a bit
> fancier
> than what Qiantan originally proposed in
> <https://lists.gnu.org/r/emacs-devel/2020-08/msg00896.html> because it
> checks
> that WebKit 2.26 or later is in use, and it avoids a duplicate call to
> webkit_web_context_get_default. I'm cc'ing this to Qiantan and to other
> recent
> committers to xwidget.c, to get their opinions.
>
[Message part 2 (text/html, inline)]

Information forwarded to bug-gnu-emacs <at> gnu.org:
bug#43071; Package emacs. (Thu, 27 Aug 2020 18:25:01 GMT) Full text and rfc822 format available.

Message #16 received at 43071 <at> debbugs.gnu.org (full text, mbox):

From: Paul Eggert <eggert <at> cs.ucla.edu>
To: Stefan Kangas <stefankangas <at> gmail.com>, 43071 <at> debbugs.gnu.org
Cc: Robert Pluim <rpluim <at> gmail.com>,
 Jimmy Aguilar Mena <kratsbinovish <at> gmail.com>, Jaesup Kwak <veshboo <at> gmail.com>,
 Qiantan Hong <qhong <at> mit.edu>, Sungbin Jo <pcr910303 <at> icloud.com>
Subject: Re: bug#43071: Enable WebKit sandboxing
Date: Thu, 27 Aug 2020 11:24:09 -0700
On 8/27/20 6:41 AM, Stefan Kangas wrote:
> Is this important enough to warrant backporting to emacs-26?

I would think so, yes. It's security-relevant, and its effects should be limited 
to GNU/Linux distros that configure Emacs using --with-xwidgets.




Added tag(s) security. Request was from Stefan Kangas <stefan <at> marxist.se> to control <at> debbugs.gnu.org. (Thu, 27 Aug 2020 18:45:02 GMT) Full text and rfc822 format available.

Information forwarded to bug-gnu-emacs <at> gnu.org:
bug#43071; Package emacs. (Tue, 29 Sep 2020 17:45:01 GMT) Full text and rfc822 format available.

Message #21 received at 43071 <at> debbugs.gnu.org (full text, mbox):

From: Qiantan Hong <qhong <at> mit.edu>
To: "43071 <at> debbugs.gnu.org" <43071 <at> debbugs.gnu.org>
Subject: bug#43071: Enable WebKit sandboxing
Date: Tue, 29 Sep 2020 16:22:07 +0000
[Message part 1 (text/plain, inline)]
Just a follow up, what’s the status on this patch?
[smime.p7s (application/pkcs7-signature, attachment)]

Reply sent to Paul Eggert <eggert <at> cs.ucla.edu>:
You have taken responsibility. (Sun, 25 Oct 2020 00:28:02 GMT) Full text and rfc822 format available.

Notification sent to Paul Eggert <eggert <at> cs.ucla.edu>:
bug acknowledged by developer. (Sun, 25 Oct 2020 00:28:02 GMT) Full text and rfc822 format available.

Message #26 received at 43071-done <at> debbugs.gnu.org (full text, mbox):

From: Paul Eggert <eggert <at> cs.ucla.edu>
To: Stefan Kangas <stefankangas <at> gmail.com>, 43071-done <at> debbugs.gnu.org
Cc: 44204 <at> debbugs.gnu.org, Qiantan Hong <qhong <at> mit.edu>,
 Jaesup Kwak <veshboo <at> gmail.com>, Robert Pluim <rpluim <at> gmail.com>,
 Jimmy Aguilar Mena <kratsbinovish <at> gmail.com>,
 Sungbin Jo <pcr910303 <at> icloud.com>
Subject: Re: bug#43071: Enable WebKit sandboxing
Date: Sat, 24 Oct 2020 17:27:08 -0700
No further comment, so I installed the WebKit sandboxing patch into the emacs-27 
branch on Savannah 
<https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-27&id=71661b287297f328c2c5ad67e180a760f80850cb>. 
After the next merge from emacs-27 to master, this patch should appear in the 
master branch. I am closing Bug#43071.

While testing the fix, I ran into a problem with xwidgets and filed Bug#44204 
"Emacs --with-xwidgets complains under Ubuntu 20.04" which you can see here:

https://bugs.gnu.org/44204

Has anyone had luck running Emacs --with-xwidgets under Ubuntu 20.04 or later? 
I'll cc. this to 44204 <at> debbugs.gnu.org to try to move that part of the 
discussion there.




bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Sun, 22 Nov 2020 12:24:07 GMT) Full text and rfc822 format available.

This bug report was last modified 3 years and 126 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.