Creating a capabilities-based restricted execution system

[John Roth]

"Sean R. Lynch" <seanl at chaosring.org> wrote in message
news:LmmdnUn4seDeGWuiXTWc-w at speakeasy.net...

[...]

> Does anyone think I'm going in completely the wrong direction here? Am I
> missing anything obvious?

Yes,  you're missing something really obvious. Multi-level
security is a real difficult problem if you want to solve it
in a believable (that is, bullet-proof) fashion. The only way
I know of solving it is to provide separate execution
environments for the different privilege domains.
In the current Python structure, that means different
interpreters so that the object structures don't intermix.

If you have separate domains, then the only support
needed is to remove privileged modules from the
built-ins, and virtualize import so that it won't load
modules that aren't on the approved list for that
domain.

You also, of course, need some form of gate between
the untrusted and trusted domains.

Once that's done, there's no reason to layer additional
complexity on top, and there is no reason to restrict
any introspection facilities.

John Roth