[Python-Dev] In defense of Capabilities [was: doc for new restricted execution design for Python] (original) (raw)
Talin talin at acm.org
Tue Jul 11 08:29:10 CEST 2006
- Previous message: [Python-Dev] In defense of Capabilities [was: doc for new restricted execution design for Python]
- Next message: [Python-Dev] In defense of Capabilities [was: doc for new restricted execution design for Python]
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Brett Cannon wrote:
Using a factory method callback, one could store the PyCodeObject in a C proxy object that just acts as a complete delegate, forwarding all method calls to the internally stored PyCodeObject. That would work.
For this initial implementation, though, I am not going to try to support this. We can always add support like this later since it doesn't fundamentally break or change anything that is already planned. Let's focus on getting even more basic stuff working before we start to get too fancy. -Brett
Thinking about this some more, I've come up with a simpler idea for a generic wrapper class. The wrapper consists of two parts: a decorator to indicate that a given method is 'public', and a C 'guard' wrapper that insures that only 'public' members can be accessed.
So for example:
from Sandbox import guard, public
class FileProxy:
# Public method, no decorator
@public
def read( length ):
...
@public
def seek( offset ):
...
# Private method, no decorator
def open( path ):
...
# Construct an instance of FileProxy, and wrap a
# guard object around it. Any attempt to access a non-public
# attribute will raise an exception (or perhaps simply report
# that the attribute doesn't exist.)
fh = guard( FileProxy() )Now, from my point of view this is 'the basic stuff'. In other words, this right here is the fundamental sandbox mechanism, and everything else is built on top of it.
Now, the C 'guard' function is only a low-level means to insure that no-one can mess with the object; It is not intended to be the actual restriction policy itself. Those are placed in the wrapper classes, just as in your proposed scheme.
(This goes back to my basic premise, that a simple "yes/no" security feature can be used to build up much more complex and subtle security features.)
The only real complexity of this, as I see it, is that methods to references will have to be themselves wrapped.
In other words, if I say 'fh.read' without the (), what I get back can't be the actual read function object - that would be too easy to fiddle with. What I'd have to get is a wrapped version of the method that is a callable.
One relatively simply way to deal with this is to have the 'public' decorator create a C wrapper for the function object, and store it as an attribute of the function. The class wrapper then simply looks up the attribute, and if it has an attribute wrapper, returns that, otherwise it fails.
(Although, I've often wished for Python to have a variant of call that could be used to override individual methods, i.e.:
__call_method__( self, methodname, *args )This would make the guard wrapper much easier to construct, since we could restrict the methods only to being called, and not allow references to methods to be taken.)
-- Talin
- Previous message: [Python-Dev] In defense of Capabilities [was: doc for new restricted execution design for Python]
- Next message: [Python-Dev] In defense of Capabilities [was: doc for new restricted execution design for Python]
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]