[Python-Dev] In defense of Capabilities [was: doc for new restricted execution design for Python]

[Greg Ewing]

Michael Chermside wrote:

> That leaves the other problem: auxiliary means of accessing
> objects. There are things like gc.get_objects(). In the special
> case of file, which is a type that's also dangerous, there are
> tricks like "object().__class__.__subclasses__()".

My approach to that would be to not provide access to
these kinds of things via attributes, but via builtin
functions. E.g there wouldn't be a __subclasses__
attribute, but a subclasses() function. Then that
capability can be denied by not providing that
function.

--
Greg