Ka-Ping Yee wrote:
Hmm, i'm not sure you understood what i meant. The code example i posted is a solution to the design challenge: "provide read-only access to a directory and its subdirectories, but no access to the rest of the filesystem". I'm looking for other security design challenges to tackle in Python. Once enough of them have been tried, we'll have a better understanding of what Python would need to do to make secure programming easier.
Okay, how about allowing a piece of untrusted code to import modules from a selected subset of all modules. For instance you probably want to allow untrusted code to get access to regular expressions and codecs (after taming!) but not os or socket.
Speaking of sockets, web browsers often allow connections to sockets only at a particular domain. In a capabilities world, I guess the domain would be an object that you could request sockets from.
Are DOS issues in scope? How do we prevent untrusted code from just bringing the interpreter to a halt? A smart enough attacker could even block all threads in the current process by finding a task that is usually not time-sliced and making it go on for a very long time. without looking at the Python implementation, I can't remember an example off of the top of my head, but perhaps a large multiplication or search-and-replace in a string.