[Python-Dev] In defense of Capabilities [was: doc for new restricted execution design for Python]
Talin
talin at acm.org
Sun Jul 9 05:15:18 CEST 2006
Brett Cannon wrote:
> On 7/7/06, Guido van Rossum <guido at python.org> wrote:
>> On 7/8/06, Ka-Ping Yee <python-dev at zesty.ca> wrote:
>> > I'd like the answer to be yes. It sounded for a while like this
>> > was not part of Brett's plan, though. Now i'm not so sure. It
>> > sounds like you're also interested in having the answer be yes?
>> >
>> > Let's keep talking about and playing with more examples -- i think
>> > they'll help us understand what goals we should aim for and what
>> > pitfalls to anticipate before we nail down too many details.
>>
>> I'd like the answer to be no, because I don't believe that we can
>> trust the VM to provide sufficient barriers. The old pre-2.2
>> restricted execution mode tried to do this but 2.2 punched a million
>> holes in it. Python isn't designed for this (it doesn't even enforce
>> private attributes). I guess this is also the main reason I'm
>> skeptical about capabilities for Python.
>
> My plan is no. As Guido said, getting this right is feasibly
> questionable. I do not plan on trying to have security proxies or such
> implemented in Python code; it will need to be in C. If someone comes
> along
> and manages to find a way to make Python work without significantly
> changing
> the languages, great, and we can toss out my security implementation for
> that.
>
> But as of right now, I am not planning on making Python code safe to run in
> Python code.
It might be possible for the code *outside* the sandbox to create new
security policies written in Python.
Lets start with the concept of a generic "protection" wrapper - its a C
proxy object which can wrap around any Python object, and which can
restrict access to a specific set of methods. So for example:
protected_object = protect(myObject, methods=set('open','close'))
'protect' creates a C proxy which restricts access to the object,
allowing only those methods listed to be called.
Now, lets create a security policy, written in Python. The policy is
essentially a factory which creates wrapped objects:
class MyPolicy:
# Ask the policy to create a file object
def file( path, perms ):
if perms == 'r':
# Trivial example, a real proxy would be more
# sophisticated, and probably configurable.
return protect( file( path, perms ),
methods=set('open', 'read', 'close') )
raise SecurityException
Now, when we create our sandbox, we pass in the policy:
sb = Sandbox( MyPolicy() )
The sandbox calls 'protect' on the policy object, preventing it from
being inspected or called inappropriately.
-- Talin
More information about the Python-Dev
mailing list