[Python-Dev] In defense of Capabilities [was: doc for new restricted execution design for Python] (original) (raw)

Talin talin at acm.org
Sun Jul 9 05:15:18 CEST 2006

Brett Cannon wrote:

On 7/7/06, Guido van Rossum <guido at python.org> wrote:

On 7/8/06, Ka-Ping Yee <python-dev at zesty.ca> wrote: > I'd like the answer to be yes. It sounded for a while like this > was not part of Brett's plan, though. Now i'm not so sure. It > sounds like you're also interested in having the answer be yes? > > Let's keep talking about and playing with more examples -- i think > they'll help us understand what goals we should aim for and what > pitfalls to anticipate before we nail down too many details.

I'd like the answer to be no, because I don't believe that we can trust the VM to provide sufficient barriers. The old pre-2.2 restricted execution mode tried to do this but 2.2 punched a million holes in it. Python isn't designed for this (it doesn't even enforce private attributes). I guess this is also the main reason I'm skeptical about capabilities for Python. My plan is no. As Guido said, getting this right is feasibly questionable. I do not plan on trying to have security proxies or such implemented in Python code; it will need to be in C. If someone comes along and manages to find a way to make Python work without significantly changing the languages, great, and we can toss out my security implementation for that. But as of right now, I am not planning on making Python code safe to run in Python code.

It might be possible for the code outside the sandbox to create new security policies written in Python.

Lets start with the concept of a generic "protection" wrapper - its a C proxy object which can wrap around any Python object, and which can restrict access to a specific set of methods. So for example:

protected_object = protect(myObject, methods=set('open','close'))

'protect' creates a C proxy which restricts access to the object, allowing only those methods listed to be called.

Now, lets create a security policy, written in Python. The policy is essentially a factory which creates wrapped objects:

class MyPolicy:
   # Ask the policy to create a file object
   def file( path, perms ):
      if perms == 'r':
         # Trivial example, a real proxy would be more
         # sophisticated, and probably configurable.
         return protect( file( path, perms ),
                         methods=set('open', 'read', 'close') )
         raise SecurityException

Now, when we create our sandbox, we pass in the policy:

sb = Sandbox( MyPolicy() )

The sandbox calls 'protect' on the policy object, preventing it from being inspected or called inappropriately.

-- Talin

More information about the Python-Dev mailing list