[Python-Dev] Reviving restricted mode?

Nick Coghlan ncoghlan at gmail.com
Thu Aug 14 09:48:58 CEST 2014

On 14 August 2014 07:25, Victor Stinner <victor.stinner at gmail.com> wrote:
> Hi,
> I heard that PyPy sandbox cannot be used out of the box. You have to write a
> policy to allow syscalls. The complexity is moved to this policy which is
> very hard to write, especially if you only use whitelists.
> Correct me if I'm wrong. To be honest, I never take a look at this sandbox.

By default, the PyPy sandbox requires all system access to be proxied
through the host application (which is running in a separate process).
Similarly, using "sandbox" on Fedora (et al) will get you a default
deny OS level sandbox, where you have to provide selective access to
things outside the box.

The effective decision taken when rexec and Bastion were removed from
the standard library was "sandboxing is hard enough for operating
systems to get right, we're not going to try to tackle the even harder
problem of an in-process sandbox".

"Deny all" sandboxes are relatively easy, but also relatively useless.
It's "allow these activities, but no others" that's difficult, since
any kind of access can often be leveraged into greater access than was


Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia

More information about the Python-Dev mailing list