From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=0dvj=EA=ispras.ru=amonakov@sourceware.org>
Received: from mail.ispras.ru (mail.ispras.ru [83.149.199.84])
	by sourceware.org (Postfix) with ESMTPS id C97F13858422
	for <gcc-patches@gcc.gnu.org>; Tue, 15 Aug 2023 05:59:21 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org C97F13858422
Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=ispras.ru
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=ispras.ru
Received: from [10.10.3.121] (unknown [10.10.3.121])
	by mail.ispras.ru (Postfix) with ESMTPS id 3DDBA40F1DDA;
	Tue, 15 Aug 2023 05:59:20 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.ispras.ru 3DDBA40F1DDA
Date: Tue, 15 Aug 2023 08:59:20 +0300 (MSK)
From: Alexander Monakov <amonakov@ispras.ru>
To: Siddhesh Poyarekar <siddhesh@gotplt.org>
cc: David Edelsohn <dje.gcc@gmail.com>, GCC Patches <gcc-patches@gcc.gnu.org>, 
    Carlos O'Donell <carlos@redhat.com>, richard.sandiford@arm.com
Subject: Re: [RFC] GCC Security policy
In-Reply-To: <141b257b-a45d-0afc-5391-acd9547d6806@gotplt.org>
Message-ID: <7462498c-3d65-a7bd-012e-2d9b200b0b1f@ispras.ru>
References: <CAGWvny=z1yotE-6geJL1j80qSeZU67h-ZENPowM=BSNm0nHOVA@mail.gmail.com> <97b01db2-d1bf-9859-f75e-452e677ffe63@gotplt.org> <mpt1qg5qwy6.fsf@arm.com> <5f0e849e-92bf-8b4d-caff-602e37a0b75e@gotplt.org> <94529934-59a1-84e6-b93e-cd3e3ad82707@ispras.ru>
 <141b257b-a45d-0afc-5391-acd9547d6806@gotplt.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
X-Spam-Status: No, score=-3.2 required=5.0 tests=BAYES_00,KAM_DMARC_STATUS,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <gcc-patches.gcc.gnu.org>


On Mon, 14 Aug 2023, Siddhesh Poyarekar wrote:

> There's no practical (programmatic) way to do such validation; it has to be a
> manual audit, which is why source code passed to the compiler has to be
> *trusted*.

No, I do not think that is a logical conclusion. What is the problem with
passing untrusted code to a sandboxed compiler?

> Right, that's what we're essentially trying to convey in the security policy
> text.  It doesn't go into mechanisms for securing execution (because that's
> really beyond the scope of the *project's* policy IMO) but it states
> unambiguously that input to the compiler must be trusted:
> 
> """
>                                           ... It is necessary that
>     all source code inputs to the compiler are trusted, since it is
>     impossible for the driver to validate input source code beyond
>     conformance to a programming language standard...
> """

I see two issues with this. First, it reads as if people wishing to build
not-entirely-trusted sources need to seek some other compiler, as somehow
we seem to imply that sandboxing GCC is out of the question.

Second, I take issue with the last part of the quoted text (language
conformance): verifying standards conformance is also impossible
(consider UB that manifests only during linking or dynamic loading)
so GCC is only doing that on a best-effort basis with no guarantees.

Alexander