[Python-Dev] Add a frozendict builtin type

[Victor Stinner]

> In App Engine's case, an attacker who broke out of the sandbox would have
> access to the inside of Google's datacenter, which would obviously be
> bad -- that's why Google has developed its own sandboxing
> technologies.

This is not specific to Google: if an attacker breaks a sandbox,
he/she has access to everything. Depending on how the sandbox is
implemented, you have more or less code to audit.

pysandbox disables introspection in Python and create an empty
namespace to reduce as much as possible the attack surface. You are to
be very careful when you add a new feature/function and it is complex.

> I do know that I don't feel comfortable having a sandbox in the Python
> standard library or even recommending a 3rd party sandboxing solution

frozendict would help pysandbox but also any security Python module,
not security, but also (many) other use cases ;-)

> I wasn't just referring of rexec/Bastion (though that definitely
> shaped my thinking about this issue; much more recently someone (Tal,
> I think was his name?) tried to come up with a sandbox and every time
> he believed he had a perfect solution, somebody found a loophole.
> (Hm..., you may have been involved that time yourself. :-)

pysandbox is based on tav's approach, but it is more complete and
implement more protections. It is also more functional (you have more
available functions and features).

I challenge anyone to try to break pysandbox!

Victor