[Python-Dev] Restricted execution: what's the threat model? (original) (raw)
Bob Ippolito bob at redivi.com
Wed Jul 12 23:50:13 CEST 2006
- Previous message: [Python-Dev] Restricted execution: what's the threat model?
- Next message: [Python-Dev] Restricted execution: what's the threat model?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Jul 12, 2006, at 2:23 PM, Jim Jewett wrote:
Ka-Ping Yee writes:
A. The interpreter will not crash no matter what Python code it is given to execute. Why? We don't want it to crash the embedding app (which might be another python interpreter), but if the sandboxed interpreter itself crashes, is that so bad? The embedding app should just act as though that interpreter exited, possibly with a status code.
When he says crash, I'd have to imagine that he means of the segfault
variety. Good luck saving the embedding app after that.
C. Python programs running in different interpreters embedded in the same process cannot access each other's Python objects. Note that Brett's assumption of shared extension modules violates this -- but I'm not sure why he needs to assume that. (Because of the init-only-once semantics, I'm not even sure it is a good idea to share them.)
Well if you don't share them, you can't have them at all other than
in the main trusted interpreter. C extensions can only be safely
initialized once and they often cache objects in static variables...
lots of C modules aren't even safe to use when combined with multiple
interpreters and threads (e.g. PyGILState API), so I guess that
perhaps the C API should be refined anyway.
-bob
- Previous message: [Python-Dev] Restricted execution: what's the threat model?
- Next message: [Python-Dev] Restricted execution: what's the threat model?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]