[Python-Dev] Reviving restricted mode? (original) (raw)

tav tav at espians.com
Sun Feb 22 22:22:27 CET 2009

Hey guys,

benjamin> Even if this patch manages to plug all the holes in the benjamin> current Python, do we really want to commit our benjamin> selves to maintaining it through language evolution benjamin> which will surely introduce new subtle ways to benjamin> circumvent the guard?

If it would be helpful, I am happy to maintain this as Python evolves.

I've already been maintaining the PJE-inspired ctypes-based approach and monkeypatches for various Python versions for a while now. See secure.py, secure25.py, secure26.py and secure30.py in:

http://github.com/tav/plexnet/tree/9dabc570a2499689e773d1af3599a29102071f80/source/plexnet/util

Also, my plans for world domination depend on a secure Python, so I have the necessary incentives ;p

sameule> I don't have much time these days, for sure not samuele> until pycon us, to look at the proposed code.

Thanks in advance if/when you get the time for this Samuele!

samuele> E provides and incorporate a lot of thinking samuele> around [snip]

The functions based approach I am taking is very much taken from E and inspired by an insight that Ka-Ping Yee had on Python-Dev years ago.

See http://www.erights.org/elib/capability/ode/index.html for a direct parallel to the approach I've taken...

guido> For Tav's benefit, I think it would be good to at guido> least add "IsRestricted" checks to guido> subclasses(), gi_code and gi_frame -- guido> that's a trivial patch and if he believes it's guido> enough he can create a sandbox on app engine guido> and invite people to try to break out of it... If guido> someone succeeds....

If someone succeeds...

...My missus might end up leaving me on account of so much crying ;p

Seriously though, it's a relatively risk-free approach. The only person who stands to lose out is me if I'm wrong =)

In the worst case scenario, this approach would help identify other "leak" attributes/methods -- which I'm hoping won't be found.

And, in an ideal scenario, we'd have the basis for secure Python interpreter/programming... which, together with PyPy's sandboxed interpreter, would seriously rock!

-- enthusiastically, tav

plex:espians/tav | tav at espians.com | +44 (0) 7809 569 369 http://tav.espians.com | http://twitter.com/tav | skype:tavespian

More information about the Python-Dev mailing list