< BACKMake Note | BookmarkCONTINUE >
152015024128143245168232148039199167010047123209178152124239215162148044238006085047159006

Restricted Execution Mode

Restricted Execution is the basic framework in Python that allows the segregation of trusted and untrusted code. These modules prevent access to critical operations mostly because a program running in trusted mode can create an execution environment in which untrusted code can be executed with limited privileges.

Two modules implement Python support to restricted execution: rexec and Bastion.

The rexec module implements a basic restricted execution framework by encapsulating, in a class (which is called RExec), the attributes that specify the capabilities for the code to execute. Code executed in this restricted environment will only have access to modules and functions that are believed to be safe.

The idea is to use a program that runs in trusted mode to create an execution environment in which you can define limits to be applied on the execution of the untrusted code.

The rexec.RExec() creates an instance of the RExec class. By doing so, you implement a restricted environment. You can also subclass the RExec class, and change any one of the class variables that define the environment by modifying the __init__() method of the class.

RExec.ok_builtin_modules—   Tuple of module names that can be imported.

RExec.nok_builtin_names—   Tuple of built-in functions not available to the class.

RExec.ok_path—   List of directories to be searched when importing modules.

RExec.ok_sys_names—   Tuple of available function names from the sys module.

RExec.ok_posix_names—   Tuple of available function names from the os module.

The following methods are called while inside a restricted environment:

r_import(modulename [,globals [,locals]])—   Loads a module and is similar to the built-in import function.

r_open(filename [, mode [, buffersize]])—   Opens a file and is similar to the built-in open function.

r_unload(modulename)—   Unloads a given module.

r_reload(modulename)—   Reloads a module and is similar to the built-in reload function.

The methods s_import(), s_unload(), and s_reload() have functionality similar to the previous methods, except that they also allow the use of sys.stdin, sys.stdout, and sys.stderr.

When you create an instance of the RExec class, the instance has the following methods available:

r_exec(code)—   Same as the exec statement.

r_eval(code)—   Same as the eval statement.

r_execfile(filename)—   Same as the execfile statement.

The methods s_eval(), s_exec(), and s_execfile() have functionality similar to the previous methods, except that they also allow the use of sys.stdin, sys.stdout, and sys.stderr.

Protecting the Application Environment

The next example shows how you can use the rexec module to protect your processing environment. We subclass the rexec.RExec class, and we redefine the r_import method in order to block the access to the import implementation.

						
import rexec
class ExecEnv(rexec.RExec):
    def r_import(*args):
        raise SystemError, "The import function is not enabled."
myEnv = ExecEnv()
myEnv.s_exec("import sys")

					

Bastion is the other module used to provide restricted access to objects. This module is able to deny access to certain attributes of an object.

The basic syntax is Bastion.Bastion(object, filter).

						
import Bastion
>>> class parrot:
…       def __init__(self):
…           self.color = "blue"
…       def setcolor(self, color):
…           self.color = color
…       def getcolor(self):
…           return self.color
…
>>> myparrot = parrot()
>>> my = Bastion.Bastion(myparrot, lambda x:x in ['setcolor','getcolor'])
>>> my.getcolor()
'blue'
>>> my.setcolor("green")
>>> my.getcolor()
'green'
>>> my.color
Traceback (innermost last):
  File "<stdin>", line 1, in ?
  File "C:\Program Files\Python\Lib\Bastion.py", line 78, in __getattr__
    attribute = self._get_(name)
  File "C:\Program Files\Python\Lib\Bastion.py", line 121, in get2
    return get1(name)
  File "C:\Program Files\Python\Lib\Bastion.py", line 117, in get1
    raise AttributeError, name
AttributeError: color
>>>

					

As you could see, we prohibited the user to access the color attribute directly. It is necessary to use either the getcolor() method or the setcolor() method in order to manipulate it. The first argument of the Bastion function is the original object that carries all the attributes, and the second argument is a function that must return true for the attributes that can be accessed by the new object.


Last updated on 1/30/2002
Python Developer's Handbook, © 2002 Sams Publishing

< BACKMake Note | BookmarkCONTINUE >

Index terms contained in this section

applications
      protection environments
Bastion module 2nd 3rd
environments
     applications
            protecting
functions
      rexec.RExec()
modes
      Restricted Execution 2nd 3rd
modules
      Bastion 2nd 3rd
      rexec 2nd 3rd 4th
programs
      protection environments
protection application environments
Restricted Execution mode 2nd 3rd
rexec module 2nd 3rd 4th
rexec.RExec() function
software
      protection environments

© 2002, O'Reilly & Associates, Inc.