Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Short term Python: Restrict Python to only execute OSTree provided files #152

Closed
dustymabe opened this issue Feb 20, 2019 · 9 comments
Closed

Short term Python: Restrict Python to only execute OSTree provided files #152

dustymabe opened this issue Feb 20, 2019 · 9 comments
Labels
-python card related to removing a python dependency jira for syncing to jira

Comments

@dustymabe
Copy link
Member

Colin had an interesting suggestion in #32 (comment). His suggestion is that we can restrict python execution of random user scripts by:

  • patching python to deny execution of any thing that doesn't live under /usr/

This allows us to achieve our #1 goal that we identified while we continue to work on the process of burning down our other python dependencies.
@dustymabe dustymabe added -python card related to removing a python dependency meeting topics for meetings labels Feb 20, 2019
@bgilbert bgilbert removed the meeting topics for meetings label Feb 20, 2019
@dustymabe
Copy link
Member Author

Discussed in the meeting this past wednesday:

AGREED: We are willing to try a 'restricted python' approach while
    we burndown python dependencies in parallel

@dustymabe dustymabe added the jira for syncing to jira label Feb 22, 2019
@vstinner
Copy link

There are 2 PEPs which would allow that:

cc @tiran @zooba

@dustymabe
Copy link
Member Author

There are 2 PEPs which would allow that:

i.e. by using the proposed spython to restrict what could run?

@arithx
Copy link
Contributor

arithx commented May 6, 2019

From a quick read through the PEPs I'm not sure that spython fits the exact use case. Ideally we'd want users to not be able to run anything through python (from either the command-line or scripts) and only provide python to packages that require it.

@vstinner is there some other mechanism in the spython proposal I'm missing that would allow us to have that sort of functionality?

@tiran
Copy link

tiran commented May 6, 2019

Your use case can be implemented with PEP 578 and three custom hooks:

  1. A custom verified open hook that verifies py/pyc imports
  2. A custom cpython.dlopen audit hook that verifies extension modules
  3. A setopencodehook hook to ensure that nobody can reset the custom verified open hook.

I'll work on a PoC.

@tiran
Copy link

tiran commented May 6, 2019

CC @zooba

@zooba
Copy link

zooba commented May 6, 2019

There are a couple of (Windows-specific) PoCs already at https://github.com/zooba/spython/ - happy to have more :)

spython is really just a substitution variable for "your own locked-down version of Python". It's not a real thing that you can just pick up and use. But with a bit of luck we'll get the PEP 578 APIs merged this week and then creating an spython looks like pretty straightforward embedding.

@ajeddeloh
Copy link
Contributor

Also worth calling out it looks like we'll be able to ship without python at all (just pending the xfsprogs package split), so this is only relevant if we end up needing to pull it back in.

@ajeddeloh
Copy link
Contributor

Closing as we're now no longer shipping python! Feel free to reopen later if needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
-python card related to removing a python dependency jira for syncing to jira
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@vstinner @bgilbert @tiran @zooba @arithx @ajeddeloh @dustymabe