[Python-Dev] In defense of Capabilities [was: doc for new restricted execution design for Python]

Talin talin at acm.org
Sun Jul 9 05:15:18 CEST 2006 

Brett Cannon wrote:
> On 7/7/06, Guido van Rossum <guido at python.org> wrote:
>> On 7/8/06, Ka-Ping Yee <python-dev at zesty.ca> wrote:
>> > I'd like the answer to be yes.  It sounded for a while like this
>> > was not part of Brett's plan, though.  Now i'm not so sure.  It
>> > sounds like you're also interested in having the answer be yes?
>> >
>> > Let's keep talking about and playing with more examples -- i think
>> > they'll help us understand what goals we should aim for and what
>> > pitfalls to anticipate before we nail down too many details.
>>
>> I'd like the answer to be no, because I don't believe that we can
>> trust the VM to provide sufficient barriers. The old pre-2.2
>> restricted execution mode tried to do this but 2.2 punched a million
>> holes in it. Python isn't designed for this (it doesn't even enforce
>> private attributes). I guess this is also the main reason I'm
>> skeptical about capabilities for Python.
> 
> My plan is no.  As Guido said, getting this right is  feasibly
> questionable.  I do not plan on trying to have security proxies or such
> implemented in Python code; it will need to be in C.  If someone comes 
> along
> and manages to find a way to make Python work without significantly 
> changing
> the languages, great, and we can toss out my security implementation for
> that.
> 
> But as of right now, I am not planning on making Python code safe to run in
> Python code.

It might be possible for the code *outside* the sandbox to create new 
security policies written in Python.

Lets start with the concept of a generic "protection" wrapper - its a C 
proxy object which can wrap around any Python object, and which can 
restrict access to a specific set of methods. So for example:

    protected_object = protect(myObject, methods=set('open','close'))

'protect' creates a C proxy which restricts access to the object, 
allowing only those methods listed to be called.

Now, lets create a security policy, written in Python. The policy is 
essentially a factory which creates wrapped objects:

    class MyPolicy:
       # Ask the policy to create a file object
       def file( path, perms ):
          if perms == 'r':
             # Trivial example, a real proxy would be more
             # sophisticated, and probably configurable.
             return protect( file( path, perms ),
                             methods=set('open', 'read', 'close') )
             raise SecurityException

Now, when we create our sandbox, we pass in the policy:

    sb = Sandbox( MyPolicy() )

The sandbox calls 'protect' on the policy object, preventing it from 
being inspected or called inappropriately.

-- Talin

More information about the Python-Dev mailing list