[Python-Dev] what can we do to hide the 'file' type? (original) (raw)
Brett Cannon brett at python.org
Thu Jul 6 02:01:48 CEST 2006
- Previous message: [Python-Dev] In defense of Capabilities [was: doc for new restricted execution design for Python]
- Next message: [Python-Dev] what can we do to hide the 'file' type?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
To make sure I don't unfairly block out capabilities as a complete security model instead of just crippling 'file's constructor (I do like capabilities and think it is a good model, really!), let's discuss how one can get to the 'file' type without importing any extension modules (that can be protected at the import level so I am ignoring the 'gc' module trick and such).
First, it's in builtin. That reference can just be left out of the dict at the PyInterpreterState stuct's dict for built-ins. But we all know it isn't that simple.
Second, there is subclasses(). That method could just not be allowed to be in the 'type' class at the Python level (hiding it, crippling it, whatever), but would that break much code? I don't know, but I doubt it.
Third, for any wrappers returned by open(), it cannot be a subclass because chaining class attribute, mro() (or any of the other methods provided on 'object' or 'type'), or type() will get you to the original 'file' type. The actual 'file' reference will need to be stored at the C struct level for the wrapper and not accessed except by the wrapper directly which would be implemented in C.
Can anyone think of any other way to gain access to 'file' without importing a module? At that point one would need to be very careful about what an extension module exported to the world, but I can live with that (as that is already part of the plan).
Please seriously try to think of ways to get to 'file' everybody. If we really cannot come up with anything beyond these three ways, then I am totally willing to go with a much more complete capabilities system for security in Python and really minimize any crippling. I just need to be convinced that we won't be plugging holes in how to hide 'file' rather than plugging holes from crippling 'file' (which, at this point, I am not convinced of).
And if Armin and/or Samuele sign off that what we find is most likely (with "most likely" equalling 99% chance) all there is, then bonus points and I will really be convinced. =) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.python.org/pipermail/python-dev/attachments/20060705/60204925/attachment.html
- Previous message: [Python-Dev] In defense of Capabilities [was: doc for new restricted execution design for Python]
- Next message: [Python-Dev] what can we do to hide the 'file' type?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]