2

I'm referring to "Sandbox Ironpython".

I have somewhat different requirements from the original poster:

Specifically, we need different functionalities to be limited - file system access is okay, most of the standard python modules are also okay, but only a few explicit .NET dlls are to be allowed (we want to restrict the python scripts to the "official" API we provide). AFAICs, this requires to hook into the implementation of the python import statement.

Any way to accomplish this?

Thanks in advance!

Community
  • 1
  • 1
MarkusSchaber
  • 757
  • 1
  • 8
  • 16

2 Answers2

4

Yes, AppDomains are the only way. If you limit access via the .NET sandboxing then anything you could do w/ the standard library would be appropriately limited as well. So why bother restricting any of the Python scripts? They can't do anything you haven't otherwise permitted.

Dino Viehland
  • 6,478
  • 20
  • 25
1

I'm posting this to prevent others from wasting as much time as I did on this.

From a senior developer on the CLR Security team in response to what happens if you try to use os.py:

"The SecurityException in the repro sample is being thrown because the security transparent code in IronPython is calling security critical code (GCHandle.Free), which leads to a demand for Unrestricted permissions."

It's not possible to give it the permissions it needs:

"there is no set of permissions that adds up to PermissionState.Unrestricted"

Even if you could get it to work, AppDomain sandboxing is worthless:

"As far as sandboxing untrusted code, very soon, we will be releasing new guidance that partial trust should not be used as a security boundary. The guidance in full is: “The .NET Framework provides a mechanism for the enforcement of varying levels of trust on different code running in the same application called Code Access Security (CAS). Code Access Security in .NET Framework should not be used as a security boundary with partially trusted code, especially code of unknown origin. We advise against loading and executing code of unknown origins without putting alternative security measures in place."

tponthieux
  • 1,502
  • 5
  • 18
  • 30