[Python-Dev] The pysandbox project is broken

Nick Coghlan ncoghlan at gmail.com
Wed Nov 13 07:48:03 CET 2013

On 13 Nov 2013 12:11, "Christian Heimes" <christian at python.org> wrote:
> Am 13.11.2013 01:47, schrieb Glenn Linderman:
> > If it is an implementation issue, then perhaps a different
> > implementation would help. Or perhaps a "safe compiler".
> >
> > If it is a language design issue, then a different implementation
> > wouldn't help, it would require a new language, or a restricted subset.
> > I'm not sure whether some of the onerous sounding restrictions result
> > from language or implementation issues; some of them certainly sounded
> > like implementation issues.
> >
> > A restricted subset, compiled by a validating compiler, might still be a
> > useful language, even if the execution speed has to be reduced by a
> > validating runtime.
> A limited and well-defined subset of Python may do the trick, perhaps a
> project based on RPython. Zope has a long history of restricted Python
> code with safe-guards and security proxies. Any project must start with
> a proper threat model and goals. Does sandboxed code need to access
> frame objects and use compile()? Could we perhaps use a limited
> subinterpreters with reduced / modified builtins to archive isolation?

Brett Cannon also spent some time exploring exploring the idea of a
security capability based model for a Python implementation.

> CPython still has a couple of crashers, too. These must be resolved. You
> don't want sandboxed code to generate a segfault, do you?

Indeed - it would be interesting to see if any of those have been resolved
by the various edge case fixes in recent months.

> > Is there technology in the smartphone OSes that could be applied? iOS
> > seems to not even provide a file system to its apps, and there is
> > limited sharing of data from one app to the next. Android provides an
> > explicit subset of system services to its apps.
> On Linux seccomp may be a feasible way to prevent syscalls. Seccomp
> basically can limit the capability of a thread so it can no longer do
> certain syscalls. Chrome uses it for sandboxing.

Yeah, there's a reason our standard answer to "How do I sandbox Python
code?" has been "Use a subprocess and the OS provided process sandboxing
facilities" for quite some time.

Sandboxing software *at all* is difficult, doing it cross-platform is even


> Christian
> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20131113/0e98cef5/attachment.html>

More information about the Python-Dev mailing list