[Python-checkins] r50480 - python/branches/bcannon-sandboxing/sandboxing_design_doc.txt

brett.cannon python-checkins at python.org
Fri Jul 7 20:30:05 CEST 2006 

Author: brett.cannon
Date: Fri Jul  7 20:30:05 2006
New Revision: 50480

Modified:
   python/branches/bcannon-sandboxing/sandboxing_design_doc.txt
Log:
Make PySandbox_Allowed*() the common prefix for macros that check for permission rights.


Modified: python/branches/bcannon-sandboxing/sandboxing_design_doc.txt
==============================================================================
--- python/branches/bcannon-sandboxing/sandboxing_design_doc.txt	(original)
+++ python/branches/bcannon-sandboxing/sandboxing_design_doc.txt	Fri Jul  7 20:30:05 2006
@@ -34,6 +34,7 @@
 * decide on what type of objects (e.g., PyStringObject or const char *) are to
   be passed into PySandbox_*Extended*() functions
 * all built-ins properly protected?
+* exactly how to tell whether argument to open() is a path, IP, or host name.
 
 Goal
 =============================
@@ -423,10 +424,12 @@
 incorrectly checking a return value on a rights-checking function call.  For
 the rare case where this functionality is disliked, just make the check in a
 utility function and check that function's return value (but this is strongly
-discouraged!).  Functions that check that an operation is allowed implicitly operate on the currently running interpreter as
+discouraged!).
+
+Functions that check that an operation is allowed implicitly operate on the currently running interpreter as
 returned by ``PyInterpreter_Get()`` and are to be used by any code (the
 interpreter, extension modules, etc.) that needs to check for permission to
-execute.
+execute.  They have the common prefix of ``PySandbox_Allowed*()``.
 
 
 API
@@ -503,8 +506,11 @@
 
 To open a file, one will have to use open().  This will make open() a factory
 function that controls reference access to the 'file' type in terms of creating
-new instances.  When an attempted file opening fails, SandboxError will be
-raised.
+new instances.  When an attempted file opening fails (either because the path
+does not exist or of security reasons), SandboxError will be
+raised.  The same exception must be raised to prevent filesystem information
+being gleaned from the type of exception returned (i.e., returning IOError if a
+path does not exist tells the user something about that file path).
 
 What open() may not specifically be an instance of 'file' but a proxy
 that provides the security measures needed.  While this might break code that
@@ -765,6 +771,15 @@
 Allow sending and receiving data to/from specific IP addresses on specific
 ports.
 
+open() is to be used as a factory function to open a network connection.  If
+the connection is not possible (either because of an invalid address or
+security reasons), SandboxError is raised.
+
+A socket object may not be returned by the call.  A proxy to handle security
+might be returned instead.
+
+XXX
+
 
 Why
 --------------
@@ -844,7 +859,7 @@
     whether the IP or host address is explicitly allowed.  If the interpreter
     is not sandboxed, return a false value.
 
-* PySandbox_CheckNetworkInfo(error_return)
+* PySandbox_AllowedNetworkInfo(error_return)
     Macro that will return 'error_return' for the caller and set a SandboxError exception
     if the sandboxed interpreter does not allow checking for arbitrary network
     information, otherwise do nothing.
@@ -979,7 +994,7 @@
         use of the resource (e.g., network information).  Returns a false value
         if used on an unprotected interpreter.
 
-    * PySandbox_ExtendedAllowedFlag(group, type, error_return)
+    * PySandbox_AllowedExtendedFlag(group, type, error_return)
         Macro that if the group-type is not set to true, cause the caller to
         return with 'error_return' with SandboxError exception raised.  For unprotected
         interpreters the check does nothing.
@@ -1004,12 +1019,12 @@
 
 
 + Membership
-    * int PySandbox_ExtendedSetMembership(PyThreadState *, group, type, string)
+    * int PySandbox_SetExtendedMembership(PyThreadState *, group, type, string)
         Add a string to be considered a member of a group-type (e.g., allowed
         file paths).  If the interpreter is not an sandboxed interpreter,
         return a false value.
 
-    * PySandbox_ExtendedCheckMembership(group, type, string, error_return)
+    * PySandbox_AllowedExtendedMembership(group, type, string, error_return)
         Macro that checks 'string' is a member of the values set for the
         group-type.  If it is not, then have the caller return 'error_return'
         and set an exception for SandboxError, otherwise does nothing.

More information about the Python-checkins mailing list