On Sun, Feb 26, 2023, 5:42 PM Chris Angelico <rosuav@gmail.com> wrote:
On Mon, 27 Feb 2023 at 08:33, python--- via Python-ideas
<python-ideas@python.org> wrote:
>
> Thank you for the insight. I have some more work to do! I will share on this thread again when I've made further changes.
>
> If you have some time, I would be grateful if you could  share a few test cases such as  "bypass it by spinning off a new thread", or.
> object.__subclasses__. code is not necessary but just pointers.
>

The trouble with that is, I don't really want to build and run your
Python just for the test, so all I can really do is talk
theoretically. But if you can name any module that IS permitted to
import code, I can attempt (on a vanilla Python) to trigger it to
import something of my choice.

It's worth noting, for instance, that sys.path and its friends can be
manipulated to control what would be imported; a trusted module could
potentially be tricked into importing anything at all.

Python simply isn't designed for security boundaries.

Trying to just application sandbox Python again? Python is not (and possibly cannot be) made a sufficient sandbox;  and neither can other languages solve without breaking changes, too

Things you can do, things you can't:

- setcap a (virtualenv) bin/python

- differentiate between code and data using the NX bit, *when a c extension (with nested functions,) is imported [1][2]. The NX bit doesn't work if you import  a C extension.

- Work with the ctypes module:
  import ctypes
  ctypes.cast(1, ctypes.py_object)

- strip modules out of stdlib (and patch importlib) before compiling

  - "PEP 594 – Removing dead batteries from the standard library"
    https://peps.python.org/pep-0594/
  
  - there were mailing list and probably also discourse discussions of how to allow customized builds of CPython with modules excluded. I'll keep looking for the link

[1] https://groups.google.com/g/dev-python/c/67Et2KtpzG4

[2] https://en.wikipedia.org/wiki/Nested_function#No-execute_stacks

(E.g. BinderHub and Dask will run [Python, conda-forge,] code in k8s and containers to sandbox / process-isolate it.)

Is it possible to grant a WASM runtime - in a browser application sandbox (with IPC APIs (all running under one user)) - access to syscalls (WASI,) and have provide sufficient security assurances, even?
Python does not yet (?) have browser-like sandboxing features.

There have been various efforts and pycon presentations on sandboxing Python with Python; most of them retrospectives just.