From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=SGDP=D7=ispras.ru=amonakov@sourceware.org>
Received: from mail.ispras.ru (mail.ispras.ru [83.149.199.84])
	by sourceware.org (Postfix) with ESMTPS id B8CF1385771B
	for <gcc-patches@gcc.gnu.org>; Mon, 14 Aug 2023 21:16:09 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org B8CF1385771B
Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=ispras.ru
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=ispras.ru
Received: from [10.10.3.121] (unknown [10.10.3.121])
	by mail.ispras.ru (Postfix) with ESMTPS id D1A0D40F1DDA;
	Mon, 14 Aug 2023 21:16:07 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.ispras.ru D1A0D40F1DDA
Date: Tue, 15 Aug 2023 00:16:07 +0300 (MSK)
From: Alexander Monakov <amonakov@ispras.ru>
To: Siddhesh Poyarekar <siddhesh@gotplt.org>
cc: David Edelsohn <dje.gcc@gmail.com>, GCC Patches <gcc-patches@gcc.gnu.org>, 
    Carlos O'Donell <carlos@redhat.com>, richard.sandiford@arm.com
Subject: Re: [RFC] GCC Security policy
In-Reply-To: <5f0e849e-92bf-8b4d-caff-602e37a0b75e@gotplt.org>
Message-ID: <94529934-59a1-84e6-b93e-cd3e3ad82707@ispras.ru>
References: <CAGWvny=z1yotE-6geJL1j80qSeZU67h-ZENPowM=BSNm0nHOVA@mail.gmail.com> <97b01db2-d1bf-9859-f75e-452e677ffe63@gotplt.org> <mpt1qg5qwy6.fsf@arm.com> <5f0e849e-92bf-8b4d-caff-602e37a0b75e@gotplt.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
X-Spam-Status: No, score=-3.2 required=5.0 tests=BAYES_00,KAM_DMARC_STATUS,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <gcc-patches.gcc.gnu.org>


On Mon, 14 Aug 2023, Siddhesh Poyarekar wrote:

> 1. It makes it clear to users of the project the scope in which the project
> could be used and what safety it could reasonably expect from the project.  In
> the context of GCC for example, it cannot expect the compiler to do a safety
> check of untrusted sources; the compiler will consider #include "/etc/passwd"
> just as valid code as #include <stdio.h> and as a result, the onus is on the
> user environment to validate the input sources for safety.

Whoa, no. We shouldn't make such statements unless we are prepared to explain
to users how such validation can be practically implemented, which I'm sure
we cannot in this case, due to future extensions such as the #embed directive,
and ability to obfuscate filenames using the preprocessor.

I think it would be more honest to say that crafted sources can result in
arbitrary code execution with the privileges of the user invoking the compiler,
and hence the operator may want to ensure that no sensitive data is available
to that user (via measures ranging from plain UNIX permissions, to chroots,
to virtual machines, to air-gapped computers, depending on threat model).

Resource consumption is another good reason to sandbox compilers.

Alexander