[Python-Dev] Restricted execution: what's the threat model?
Bob Ippolito
bob at redivi.com
Wed Jul 12 23:50:13 CEST 2006
On Jul 12, 2006, at 2:23 PM, Jim Jewett wrote:
> Ka-Ping Yee writes:
>
>> A. The interpreter will not crash no matter what Python code
>> it is given to execute.
>
> Why?
>
> We don't want it to crash the embedding app (which might be another
> python interpreter), but if the sandboxed interpreter itself crashes,
> is that so bad? The embedding app should just act as though that
> interpreter exited, possibly with a status code.
When he says crash, I'd have to imagine that he means of the segfault
variety. Good luck saving the embedding app after that.
>> C. Python programs running in different interpreters embedded
>> in the same process cannot access each other's Python objects.
>
> Note that Brett's assumption of shared extension modules violates this
> -- but I'm not sure why he needs to assume that. (Because of the
> init-only-once semantics, I'm not even sure it is a good idea to share
> them.)
Well if you don't share them, you can't have them at all other than
in the main trusted interpreter. C extensions can only be safely
initialized once and they often cache objects in static variables...
lots of C modules aren't even safe to use when combined with multiple
interpreters and threads (e.g. PyGILState API), so I guess that
perhaps the C API should be refined anyway.
-bob
More information about the Python-Dev
mailing list