[Python-Dev] The pysandbox project is broken (original) (raw)
Nick Coghlan ncoghlan at gmail.com
Wed Nov 13 07:48:03 CET 2013
- Previous message: [Python-Dev] The pysandbox project is broken
- Next message: [Python-Dev] The pysandbox project is broken
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 13 Nov 2013 12:11, "Christian Heimes" <christian at python.org> wrote:
Am 13.11.2013 01:47, schrieb Glenn Linderman: > If it is an implementation issue, then perhaps a different > implementation would help. Or perhaps a "safe compiler". > > If it is a language design issue, then a different implementation > wouldn't help, it would require a new language, or a restricted subset. > I'm not sure whether some of the onerous sounding restrictions result > from language or implementation issues; some of them certainly sounded > like implementation issues. > > A restricted subset, compiled by a validating compiler, might still be a > useful language, even if the execution speed has to be reduced by a > validating runtime. A limited and well-defined subset of Python may do the trick, perhaps a project based on RPython. Zope has a long history of restricted Python code with safe-guards and security proxies. Any project must start with a proper threat model and goals. Does sandboxed code need to access frame objects and use compile()? Could we perhaps use a limited subinterpreters with reduced / modified builtins to archive isolation?
Brett Cannon also spent some time exploring exploring the idea of a security capability based model for a Python implementation.
CPython still has a couple of crashers, too. These must be resolved. You don't want sandboxed code to generate a segfault, do you?
Indeed - it would be interesting to see if any of those have been resolved by the various edge case fixes in recent months.
> Is there technology in the smartphone OSes that could be applied? iOS > seems to not even provide a file system to its apps, and there is > limited sharing of data from one app to the next. Android provides an > explicit subset of system services to its apps.
On Linux seccomp may be a feasible way to prevent syscalls. Seccomp basically can limit the capability of a thread so it can no longer do certain syscalls. Chrome uses it for sandboxing.
Yeah, there's a reason our standard answer to "How do I sandbox Python code?" has been "Use a subprocess and the OS provided process sandboxing facilities" for quite some time.
Sandboxing software at all is difficult, doing it cross-platform is even harder.
Cheers, Nick.
Christian
Python-Dev mailing list Python-Dev at python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/ncoghlan%40gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.python.org/pipermail/python-dev/attachments/20131113/0e98cef5/attachment.html>
- Previous message: [Python-Dev] The pysandbox project is broken
- Next message: [Python-Dev] The pysandbox project is broken
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]