From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from beige.elm.relay.mailchannels.net (beige.elm.relay.mailchannels.net [23.83.212.16]) by sourceware.org (Postfix) with ESMTPS id 7FC2E3858C41 for ; Wed, 16 Aug 2023 11:39:42 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 7FC2E3858C41 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=gotplt.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gotplt.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 183AAC12CB; Wed, 16 Aug 2023 11:39:41 +0000 (UTC) Received: from pdx1-sub0-mail-a309.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 928AFC11E1; Wed, 16 Aug 2023 11:39:40 +0000 (UTC) ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1692185980; a=rsa-sha256; cv=none; b=d6R9AmuRz+igIcNGUawXmRGdZb3SYdLNmI5rqext6R/n2g2k4X+a/EEe4Tr6lKUL6nfmsu vzxyGAODlEAxJ0lLVx9PIrq0Ulfam6s4ayXgBo2WM0XSsGrnWKEGNGBNxV2AbqskBBoM74 EUmcK9bmXgkJuMc05FWoIORb7RxdTxnqNglwH6RrQxxHaWiOCd00JMDSKpTYZm27+nNWhJ yz6wglNvY7yxeL31eszWs6bVZsWzVgb92WgUzYi/TMP0STMslSD9jzySs1jylp69wYB3Ft GQqrUnGW8fOZlaBgpsHxAb9oSkGtlSC3P1zwEvscIDGJ+0/ewvxxY7xj2Ekxyw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1692185980; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=jmP3lUzwd8fjmPh3L9RTcngVXJr7LbrePf79ju3JnbQ=; b=TLZXDyIezvTHtF5LgZGeZeu8n4CW9KIEj4To9GI7IGPelNjtU9zQ9e/EJ0pPrE7bJGke+P Pp7+3Ysy2ytXeP2YEDOfZGjcs/4UiTDT3Jygd0paeBO6u8VNjWxwDzO2PR0nUNSOh5gINB jcCFNLm3ckglB3y6Q21R1UbmYYOhhvh5nbl5IZ0Zk+HgdFcz4n68ZwF9zmWybBdUk8U+kE d5uL6uRXqL1gTuyf3VkFqOs8FQYN907MKWyxcTLIKPuWBu/L3r4Bwuu41nA3eTqHRjbIXf mm0JUfrD7ZPNRuELaTiLNB6AaqTvTMgR7THUz7zMvaj+Q723513+cY6cSG9dmQ== ARC-Authentication-Results: i=1; rspamd-749bd77c9c-9r68m; auth=pass smtp.auth=dreamhost smtp.mailfrom=siddhesh@gotplt.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Well-Made-Thoughtful: 4995ee4b1fafe99b_1692185980867_1444959931 X-MC-Loop-Signature: 1692185980867:4285442731 X-MC-Ingress-Time: 1692185980866 Received: from pdx1-sub0-mail-a309.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.121.110.70 (trex/6.9.1); Wed, 16 Aug 2023 11:39:40 +0000 Received: from [192.168.0.182] (bras-vprn-toroon4834w-lp130-02-142-113-138-184.dsl.bell.ca [142.113.138.184]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a309.dreamhost.com (Postfix) with ESMTPSA id 4RQmQ407c4z2w; Wed, 16 Aug 2023 04:39:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gotplt.org; s=dreamhost; t=1692185980; bh=jmP3lUzwd8fjmPh3L9RTcngVXJr7LbrePf79ju3JnbQ=; h=Date:Subject:To:Cc:From:Content-Type:Content-Transfer-Encoding; b=YzHuH58Ti3x0RIv20Lj2tmek8MruHHL/cjx/5EINb5x2vvDZSPdzayz2f0lTstLjW F+rRiIwHOGMJeqdqMEedouFeeiQGqmV4H1wVujyBSNwJ9ke1meuCtvNEWNc2mvgrGN 43AUgdYopDxUI1twsXSHrFsffB3OAbSYqb2/5ibPD8pq/mkEDqk5PmfblxZkoR4XkH 50Eax/+jymjoBsiX5vULMoMNKYvLiplunhssOrEwt94xKvV9aFh7qntgptpzkCpPhj oS+Q8dlajKi8w+t+1eAYNgZG6hVKI3kuUuVpJhNpGkmK9Zppd3tFnINpEqj8kGILYA hL0mpewSXq2TA== Message-ID: <9c7cbcb3-ceb6-7066-735f-8f105045ce1f@gotplt.org> Date: Wed, 16 Aug 2023 07:39:38 -0400 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.12.0 Subject: Re: [RFC] GCC Security policy Content-Language: en-US To: Alexander Monakov , David Malcolm Cc: David Edelsohn , GCC Patches , Carlos O'Donell References: <97b01db2-d1bf-9859-f75e-452e677ffe63@gotplt.org> <79d884c1-c629-e4fd-49f8-03a0ce270a6e@ispras.ru> From: Siddhesh Poyarekar In-Reply-To: <79d884c1-c629-e4fd-49f8-03a0ce270a6e@ispras.ru> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-3031.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 2023-08-16 04:25, Alexander Monakov wrote: > > On Tue, 15 Aug 2023, David Malcolm via Gcc-patches wrote: > >> I'd prefer to reword this, as libgccjit was a poor choice of name for >> the library (sorry!), to make it clearer it can be used for both ahead- >> of-time and just-in-time compilation, and that as used for compilation, >> the host considerations apply, not just those of the generated target >> code. >> >> How about: >> >> The libgccjit library can, despite the name, be used both for >> ahead-of-time compilation and for just-in-compilation. In both >> cases it can be used to translate input representations (such as >> source code) in the application context; in the latter case the >> generated code is also run in the application context. >> Limitations that apply to the compiler driver, apply here too in >> terms of sanitizing inputs, so it is recommended that inputs are Thanks David! > > Unfortunately the lines that follow: > >> either sanitized by an external program to allow only trusted, >> safe compilation and execution in the context of the application, > > again make a reference to a purely theoretical "external program" that > is not going to exist in reality, and I made a fuss about that in another > subthread (sorry Siddhesh). We shouldn't speak as if this solution is > actually available to users. > > I know this is not the main point of your email, but we came up with > a better wording for the compiler driver, and it would be good to align > this text with that. How about: The libgccjit library can, despite the name, be used both for ahead-of-time compilation and for just-in-compilation. In both cases it can be used to translate input representations (such as source code) in the application context; in the latter case the generated code is also run in the application context. Limitations that apply to the compiler driver, apply here too in terms of sanitizing inputs and it is recommended that both the compilation *and* execution context of the code are appropriately sandboxed to contain the effects of any bugs in libgccjit, the application code using it, or its generated code to the sandboxed environment.