Limiting the features of an embedded python instance

Question

Is there a way to limit the abilities of python scripts running under an embedded interpretor? Specifically I wish to prevent the scripts from doing things like the following:

• Importing python extension modules (ie .pyd modules), except those specifically allowed by the application.
• Manipulating processes in any way (ie starting new processes, or terminating the application).
• Any kind of networking.
• Manipulating the file system (eg creating, modifying and deleting files).

Answer 1

What you want it Google's Unladen Swallow project that Python version of App Engine runs on.

Modules are severely restricted, ctypes are not allowed, sockets are matched against some policy or other, in other words you get a sandboxed version of Python, in line with their Java offering.

I'd like to point out that this makes the system almost useless. Well useless for anything cooler than yet another [App Engine] App. Forget monkey-patching system modules, and even access to own stack is restricted. Totally un-dynamic-like.

OT: games typically embed LUA for scripting, perhaps you should check it out.

Answer 2

No. There's no easy way to prevent those things on CPython. Your options are:

1. Edit CPython source code and remove things you don't want - provide mocking methods for all those things. Very error-prone and hard to do. This is the approach of Google's App Engine.
2. Use Restricted Python. However, with it you can't prevent your user from exhausting the memory available or running infinite eat-all-cpu loops.
3. Use another python implementation. PyPy has a sandbox mode you can use. Jython runs under java and I guess java can be sandboxed.

Answer 3

Maybe this can be helpful. You have an example provided on how to work with the ast.