[Python-Dev] Reviving restricted mode?

[Victor Stinner]

2014-08-11 19:42 GMT+02:00 matsjoyce <matsjoyce at gmail.com>:
> Yup, I read that post. However, those specific issues do not exist in my
> module, as there is a module whitelist, and a method whitelist. Builtins are
> now proxied, and all types going in to functions are checked for
> modification. There maybe some holes in my approach, but I can't find them.

I take a look at your code and it looks like almost everything is blocked.

Right now, I'm not sure that your sandbox is useful. For example, for
a simple IRC bot, it would help to have access to some modules like
math, time or random. The problem is to provide a way to allow these
modules and ensure that the policy doesn't introduce a new hole.
Allowing more functions increase the risk of new holes.

Even if your sandbox is strong, CPython contains a lot of code written
in C (50% of CPython is written in C), and the C code usually takes
shortcuts which ignore your sandbox. CPython source code is huge
(+210k of C lines just for the core). Bugs are common, your sandbox is
vulnerable to all these bugs. See for example the Lib/test/crashers/
directory of CPython.

For my pysandbox project, I wrote some proxies and many
vulnerabilities were found in these proxies. They can be explained by
the nature of Python, you can introspect everything, modify
everything, etc. It's very hard to design such proxy in Python.
Implementing such proxy in C helps a little bit.

The rule is always the same: your sandbox is as strong as its weakest
function. A very minor bug is enough to break the whole sandbox. See
the history of pysandbox for examples of such bugs (called
"vulnerabilities" in the case of a sandbox).

Victor