Reputation: 13816
sandboxed python plugins
I'm planning to write a pluggable application in python (+qt4). However I have great concerns about security. The plugins should be powerful enough as to do whatever they like within the application (and as a further constraint there will be a signing process and a warning for the user when using such a plugin), but interacting with the environment (filesystem, other processes, networking, etc) should be done by the plugins only through some python code I will write.
Is there any safe and easy way to achieve it, beside having to do static code analysis on the code of the plugins prior to installing them?
Upvotes: 3
Views: 863
Answers (3)
Reputation: 328624
In short: No.
Explanation: For years, the Python gurus try to build a sandbox for Python. The problem with the sandbox is that you need a couple of things to do any IO (i.e. being able to transfer data at all between your sandbox and the app). They didn't find an automatic, pythonic way to do it. Either, you can't exchange data with the plugin or introspection would then allow to walk the object tree in the app -> access to everything you like.
Imagine your idea: The plugin calls some python code which you write. This probably means to call a method or function. That means you must give me a valid method or function object. From the method or function object, I can get your module object. From your module, I can get all the symbols (i.e. the imports). From there, I can do everything your module can do (at least).
See this article for some pointers.
Upvotes: 5
Reputation: 3917
Its a very old question, but maybe QtScript might be the answer. However, I have no idea if you can sandbox this and if QtScript is powerful enough for your application.
Upvotes: 1
Reputation: 21
Python code running within a normal Python process cannot be sandboxed since you can always crawl out but you can sandbox an entire Python interpreter.
For example PyPy supports sandboxing: http://codespeak.net/pypy/dist/pypy/doc/sandbox.html
If you wanted to, you could probably write a python library to run a python script in a secured pypy-c instance with some shared memory used to transfer data you trust and some kind of signals to trigger events in your program.
You might also be able to sandbox the normal embedded cpython interpretor using something like selinux which I believe can be used within code (it's normally system admin stuff) and is supported on most Linux distros or whatever the Windows alternative is depending on your platform. Google chrome has some sandbox code if your willing to dig though the giant codebase.
Upvotes: 2
Related Questions
- How can I sandbox Python in pure Python?
- How can I safely run untrusted python code?
- Sandboxing in Linux
- Creating a secure environment for untrusted python code
- Is there an alternative to rexec for Python sandboxing?
- Python Pluginsystem
- App Sandboxing: Python wandering out of the sandbox
- setting up sandbox version of pypy
- sandboxing/running python code line by line
- Safe Python Environment in Linux