[pypy-dev] Sandboxing in Pypy and Crunchy

Laura Creighton lac at openend.se
Sun Dec 9 23:04:04 CET 2007 

In a message of Sun, 09 Dec 2007 13:22:10 -0400, "Andre Roberge" writes:
>Hello everyone,
>
>Please forget the intrusion but I did not know where else to ask this que
>stion.


Welcome.  This is not an intrusion.  You have come to the right place.
You may want to start by reading this.
http://codespeak.net/pypy/dist/pypy/doc/sandbox.html

Cpython is the python you know and use, the one that is written in C.
pypy-c is a pypy interpreter, which could be interpreting python, but
could also be interpreting prolog, or javascript, or squeak -- and
which produces as its output c code that you can run.  Just so you
don't confuse them as you are reading.

>
>Through my involvement with Google's Highly Open Participation
>contest, I have learned about the sandboxing capabilities of pypy and,
>I believe although I can't find it anymore, the ability to limit the
>time allowed to a given process.  Even if this last one is wrong, the
>sandboxing capability is something I would be extremely interested in
>using.
>
>The application I have in mind is Crunchy.  In a nutshell: Crunchy
>takes an arbitrary html page (with embedded Python code inside <pre>
>tags) and transforms it so that the user can execute, in a variety of
>ways, the Python code displayed in a browser (Firefox) window.  It is
>a different way to interact with code than the ones given as examples
>on http://play1.codespeak.net/.
>
>Crunchy's user code (executed from the browser window) is not
>sandboxed.  I was wondering how difficult it would be to have it
>sandboxed.
>
>Here are a few more specific questions:
>
>1 a. Is it possible to create a "sandboxed python interpreter" that
>can be included as a module distributed with a cPython based program
>(Crunchy) without having pypy included in the distribution?
>1 b. If so, does that module has to be (pre-)compiled for a given
>target machine?
>
>2. Is it possible to limit the time for a given process (as mentioned abo
>ve)?
>
>Thank you in advance for anyone that can give me some information
>regarding the above.  If you feel this discussion is not appropriate
>for this list, please do not hesitate to tell me so and perhaps answer
>the questions "off-list".   And, if the answers are simply: read  this
>URL, and try this example, it would be appreciated as well.
>
>Cheers,
>
>André

This list is the appropriate place for this discussion.  But so is
#pypy on irc.freenode.net.  There you can hold real conversations,
so its often faster to figure things out by talking to us there.

Can you post the details of the architecture of crunchy?  Where does
the student's code run?  On the student's machine? or on the teacher's
server machine?

The ability to sandbox is a property of the architecture of pypy.
It's not a module that you could port to Cpython.  The person you
want to sandbox has to be running pypy.

Laura

>
>P.S. Crunchy's code is ... the work of two Python hobbyists ... and is
>probably not worth looking at - I can probably clarify any specific
>point needed to find out how it works, if  needed to answer the
>questions I raised, better by email than having anyone read its code.
>_______________________________________________
>pypy-dev at codespeak.net
>http://codespeak.net/mailman/listinfo/pypy-dev

More information about the Pypy-dev mailing list