
Hi, I have been following the pypy project for over a year. And I have been playing around with it for some time. The project I am working with Minimum Intrusion Grid : MiG ( http://sites.google.com/site/minimumintrusiongrid/) are looking into using pypy. I would like to use it for sandboxing user code in MiG, more specific allow the users to develop their own “scheduler” . The MiG, it self is written in Python so we might even be able to run it on pypy. But right now it is the sandboxing that I am working with. For me it is a bit unclear in the documentation/website, but for that I read into “An attacker that tries to escape the sandbox is stuck within a C program that contains no external function calls at all except for writing to stdout and reading from stdin.” means that I have to write functions that emulates file read/write operations. I have tried different things using the pypy_interact.py (just love the –timeout parameter J), looked at code but have not been able to read files or write files using the pypy_interact.py. What have I missed? Regards, Søren Laursen

Hi, On Tue, Mar 23, 2010 at 10:46:50PM +0100, Søren Laursen wrote:
You get indeed a VFS (virtual file system) which is read-only so far. You can read any file from the virtual path "/tmp/xxx" if you start pypy_interact.py with the option "--tmp=some/path". There is no support yet to allow writes. It could be easily added by editing vfs.py. A bientot, Armin.

Thanks for all the replies. I have started to look at vfs.py, I will join IRC later today. Regards, Søren -----Oprindelig meddelelse----- Fra: Armin Rigo [mailto:arigo@tunes.org] Sendt: 24. marts 2010 10:39 Til: Søren Laursen Cc: pypy-dev@codespeak.net Emne: Re: [pypy-dev] Sandboxing pypy Hi, On Tue, Mar 23, 2010 at 10:46:50PM +0100, Søren Laursen wrote:
You get indeed a VFS (virtual file system) which is read-only so far. You can read any file from the virtual path "/tmp/xxx" if you start pypy_interact.py with the option "--tmp=some/path". There is no support yet to allow writes. It could be easily added by editing vfs.py. A bientot, Armin.

Le mardi 23 mars 2010 22:46:50, Søren Laursen a écrit :
FYI I wrote a new sandbox project for CPython: http://github.com/haypo/pysandbox/ It's currently very specific to CPython: it uses evil tricks to create a read only view of the __builtins__ super global dictionary. It's completly different to the PyPy sandbox: if you escape from the sandbox, you get a full access to all Python functions. A long description: http://mail.python.org/pipermail/python-dev/2010-February/097701.html -- Victor Stinner http://www.haypocalc.com/

On 24 March 2010 21:01, Victor Stinner <victor.stinner@haypocalc.com> wrote:
I didn't dive too deeply into the source, but what is to stop one from asking: [o for o in (1).__class__.__bases__[0].__subclasses__() if o.__name__ == 'file'][0]('/etc/passwd').read() ? -- William Leslie
participants (5)
-
Armin Rigo
-
Benjamin Peterson
-
Søren Laursen
-
Victor Stinner
-
William Leslie