Creating a capabilities-based restricted execution system
newsgroups at jhrothjr.com
Sat Jan 3 14:08:01 CET 2004
"Sean R. Lynch" <seanl at chaosring.org> wrote in message
news:LmmdnUn4seDeGWuiXTWc-w at speakeasy.net...
> Does anyone think I'm going in completely the wrong direction here? Am I
> missing anything obvious?
Yes, you're missing something really obvious. Multi-level
security is a real difficult problem if you want to solve it
in a believable (that is, bullet-proof) fashion. The only way
I know of solving it is to provide separate execution
environments for the different privilege domains.
In the current Python structure, that means different
interpreters so that the object structures don't intermix.
If you have separate domains, then the only support
needed is to remove privileged modules from the
built-ins, and virtualize import so that it won't load
modules that aren't on the approved list for that
You also, of course, need some form of gate between
the untrusted and trusted domains.
Once that's done, there's no reason to layer additional
complexity on top, and there is no reason to restrict
any introspection facilities.
More information about the Python-list