search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Quick update to the README file. For intros and books we now point to
[python/dscho.git] / Lib / rexec.py
blob6ad53b5d8354edcace25271cb28bc62f7f21b01a
1 """Restricted execution facilities.
2
3 The class RExec exports methods r_exec(), r_eval(), r_execfile(), and
4 r_import(), which correspond roughly to the built-in operations
5 exec, eval(), execfile() and import, but executing the code in an
6 environment that only exposes those built-in operations that are
7 deemed safe. To this end, a modest collection of 'fake' modules is
8 created which mimics the standard modules by the same names. It is a
9 policy decision which built-in modules and operations are made
10 available; this module provides a reasonable default, but derived
11 classes can change the policies e.g. by overriding or extending class
12 variables like ok_builtin_modules or methods like make_sys().
13
14 XXX To do:
15 - r_open should allow writing tmp dir
16 - r_exec etc. with explicit globals/locals? (Use rexec("exec ... in ...")?)
17
18 """
19
20
21 import sys
22 import __builtin__
23 import os
24 import ihooks
25
26
27 class FileBase:
28
29 ok_file_methods = ('fileno', 'flush', 'isatty', 'read', 'readline',
30 'readlines', 'seek', 'tell', 'write', 'writelines')
31
32
33 class FileWrapper(FileBase):
34
35 # XXX This is just like a Bastion -- should use that!
36
37 def __init__(self, f):
38 self.f = f
39 for m in self.ok_file_methods:
40 if not hasattr(self, m) and hasattr(f, m):
41 setattr(self, m, getattr(f, m))
42
43 def close(self):
44 self.flush()
45
46
47 TEMPLATE = """
48 def %s(self, *args):
49 return apply(getattr(self.mod, self.name).%s, args)
50 """
51
52 class FileDelegate(FileBase):
53
54 def __init__(self, mod, name):
55 self.mod = mod
56 self.name = name
57
58 for m in FileBase.ok_file_methods + ('close',):
59 exec TEMPLATE % (m, m)
60
61
62 class RHooks(ihooks.Hooks):
63
64 def __init__(self, *args):
65 # Hacks to support both old and new interfaces:
66 # old interface was RHooks(rexec[, verbose])
67 # new interface is RHooks([verbose])
68 verbose = 0
69 rexec = None
70 if args and type(args[-1]) == type(0):
71 verbose = args[-1]
72 args = args[:-1]
73 if args and hasattr(args[0], '__class__'):
74 rexec = args[0]
75 args = args[1:]
76 if args:
77 raise TypeError, "too many arguments"
78 ihooks.Hooks.__init__(self, verbose)
79 self.rexec = rexec
80
81 def set_rexec(self, rexec):
82 # Called by RExec instance to complete initialization
83 self.rexec = rexec
84
85 def is_builtin(self, name):
86 return self.rexec.is_builtin(name)
87
88 def init_builtin(self, name):
89 m = __import__(name)
90 return self.rexec.copy_except(m, ())
91
92 def init_frozen(self, name): raise SystemError, "don't use this"
93 def load_source(self, *args): raise SystemError, "don't use this"
94 def load_compiled(self, *args): raise SystemError, "don't use this"
95 def load_package(self, *args): raise SystemError, "don't use this"
96
97 def load_dynamic(self, name, filename, file):
98 return self.rexec.load_dynamic(name, filename, file)
99
100 def add_module(self, name):
101 return self.rexec.add_module(name)
102
103 def modules_dict(self):
104 return self.rexec.modules
105
106 def default_path(self):
107 return self.rexec.modules['sys'].path
108
109
110 # XXX Backwards compatibility
111 RModuleLoader = ihooks.FancyModuleLoader
112 RModuleImporter = ihooks.ModuleImporter
113
114
115 class RExec(ihooks._Verbose):
116
117 """Restricted Execution environment."""
118
119 ok_path = tuple(sys.path) # That's a policy decision
120
121 ok_builtin_modules = ('audioop', 'array', 'binascii',
122 'cmath', 'errno', 'imageop',
123 'marshal', 'math', 'md5', 'operator',
124 'parser', 'regex', 'pcre', 'rotor', 'select',
125 'strop', 'struct', 'time')
126
127 ok_posix_names = ('error', 'fstat', 'listdir', 'lstat', 'readlink',
128 'stat', 'times', 'uname', 'getpid', 'getppid',
129 'getcwd', 'getuid', 'getgid', 'geteuid', 'getegid')
130
131 ok_sys_names = ('ps1', 'ps2', 'copyright', 'version',
132 'platform', 'exit', 'maxint')
133
134 nok_builtin_names = ('open', 'reload', '__import__')
135
136 def __init__(self, hooks = None, verbose = 0):
137 ihooks._Verbose.__init__(self, verbose)
138 # XXX There's a circular reference here:
139 self.hooks = hooks or RHooks(verbose)
140 self.hooks.set_rexec(self)
141 self.modules = {}
142 self.ok_dynamic_modules = self.ok_builtin_modules
143 list = []
144 for mname in self.ok_builtin_modules:
145 if mname in sys.builtin_module_names:
146 list.append(mname)
147 self.ok_builtin_modules = tuple(list)
148 self.set_trusted_path()
149 self.make_builtin()
150 self.make_initial_modules()
151 # make_sys must be last because it adds the already created
152 # modules to its builtin_module_names
153 self.make_sys()
154 self.loader = RModuleLoader(self.hooks, verbose)
155 self.importer = RModuleImporter(self.loader, verbose)
156
157 def set_trusted_path(self):
158 # Set the path from which dynamic modules may be loaded.
159 # Those dynamic modules must also occur in ok_builtin_modules
160 self.trusted_path = filter(os.path.isabs, sys.path)
161
162 def load_dynamic(self, name, filename, file):
163 if name not in self.ok_dynamic_modules:
164 raise ImportError, "untrusted dynamic module: %s" % name
165 if sys.modules.has_key(name):
166 src = sys.modules[name]
167 else:
168 import imp
169 src = imp.load_dynamic(name, filename, file)
170 dst = self.copy_except(src, [])
171 return dst
172
173 def make_initial_modules(self):
174 self.make_main()
175 self.make_osname()
176
177 # Helpers for RHooks
178
179 def is_builtin(self, mname):
180 return mname in self.ok_builtin_modules
181
182 # The make_* methods create specific built-in modules
183
184 def make_builtin(self):
185 m = self.copy_except(__builtin__, self.nok_builtin_names)
186 m.__import__ = self.r_import
187 m.reload = self.r_reload
188 m.open = self.r_open
189
190 def make_main(self):
191 m = self.add_module('__main__')
192
193 def make_osname(self):
194 osname = os.name
195 src = __import__(osname)
196 dst = self.copy_only(src, self.ok_posix_names)
197 dst.environ = e = {}
198 for key, value in os.environ.items():
199 e[key] = value
200
201 def make_sys(self):
202 m = self.copy_only(sys, self.ok_sys_names)
203 m.modules = self.modules
204 m.argv = ['RESTRICTED']
205 m.path = map(None, self.ok_path)
206 m.exc_info = self.r_exc_info
207 m = self.modules['sys']
208 l = self.modules.keys() + list(self.ok_builtin_modules)
209 l.sort()
210 m.builtin_module_names = tuple(l)
211
212 # The copy_* methods copy existing modules with some changes
213
214 def copy_except(self, src, exceptions):
215 dst = self.copy_none(src)
216 for name in dir(src):
217 setattr(dst, name, getattr(src, name))
218 for name in exceptions:
219 try:
220 delattr(dst, name)
221 except AttributeError:
222 pass
223 return dst
224
225 def copy_only(self, src, names):
226 dst = self.copy_none(src)
227 for name in names:
228 try:
229 value = getattr(src, name)
230 except AttributeError:
231 continue
232 setattr(dst, name, value)
233 return dst
234
235 def copy_none(self, src):
236 m = self.add_module(src.__name__)
237 m.__doc__ = src.__doc__
238 return m
239
240 # Add a module -- return an existing module or create one
241
242 def add_module(self, mname):
243 if self.modules.has_key(mname):
244 return self.modules[mname]
245 self.modules[mname] = m = self.hooks.new_module(mname)
246 m.__builtins__ = self.modules['__builtin__']
247 return m
248
249 # The r* methods are public interfaces
250
251 def r_exec(self, code):
252 m = self.add_module('__main__')
253 exec code in m.__dict__
254
255 def r_eval(self, code):
256 m = self.add_module('__main__')
257 return eval(code, m.__dict__)
258
259 def r_execfile(self, file):
260 m = self.add_module('__main__')
261 return execfile(file, m.__dict__)
262
263 def r_import(self, mname, globals={}, locals={}, fromlist=[]):
264 return self.importer.import_module(mname, globals, locals, fromlist)
265
266 def r_reload(self, m):
267 return self.importer.reload(m)
268
269 def r_unload(self, m):
270 return self.importer.unload(m)
271
272 # The s_* methods are similar but also swap std{in,out,err}
273
274 def make_delegate_files(self):
275 s = self.modules['sys']
276 self.delegate_stdin = FileDelegate(s, 'stdin')
277 self.delegate_stdout = FileDelegate(s, 'stdout')
278 self.delegate_stderr = FileDelegate(s, 'stderr')
279 self.restricted_stdin = FileWrapper(sys.stdin)
280 self.restricted_stdout = FileWrapper(sys.stdout)
281 self.restricted_stderr = FileWrapper(sys.stderr)
282
283 def set_files(self):
284 if not hasattr(self, 'save_stdin'):
285 self.save_files()
286 if not hasattr(self, 'delegate_stdin'):
287 self.make_delegate_files()
288 s = self.modules['sys']
289 s.stdin = self.restricted_stdin
290 s.stdout = self.restricted_stdout
291 s.stderr = self.restricted_stderr
292 sys.stdin = self.delegate_stdin
293 sys.stdout = self.delegate_stdout
294 sys.stderr = self.delegate_stderr
295
296 def reset_files(self):
297 self.restore_files()
298 s = self.modules['sys']
299 self.restricted_stdin = s.stdin
300 self.restricted_stdout = s.stdout
301 self.restricted_stderr = s.stderr
302
303
304 def save_files(self):
305 self.save_stdin = sys.stdin
306 self.save_stdout = sys.stdout
307 self.save_stderr = sys.stderr
308
309 def restore_files(self):
310 sys.stdin = self.save_stdin
311 sys.stdout = self.save_stdout
312 sys.stderr = self.save_stderr
313
314 def s_apply(self, func, args=(), kw=None):
315 self.save_files()
316 try:
317 self.set_files()
318 if kw:
319 r = apply(func, args, kw)
320 else:
321 r = apply(func, args)
322 finally:
323 self.restore_files()
324
325 def s_exec(self, *args):
326 self.s_apply(self.r_exec, args)
327
328 def s_eval(self, *args):
329 self.s_apply(self.r_eval, args)
330
331 def s_execfile(self, *args):
332 self.s_apply(self.r_execfile, args)
333
334 def s_import(self, *args):
335 self.s_apply(self.r_import, args)
336
337 def s_reload(self, *args):
338 self.s_apply(self.r_reload, args)
339
340 def s_unload(self, *args):
341 self.s_apply(self.r_unload, args)
342
343 # Restricted open(...)
344
345 def r_open(self, file, mode='r', buf=-1):
346 if mode not in ('r', 'rb'):
347 raise IOError, "can't open files for writing in restricted mode"
348 return open(file, mode, buf)
349
350 # Restricted version of sys.exc_info()
351
352 def r_exc_info(self):
353 ty, va, tr = sys.exc_info()
354 tr = None
355 return ty, va, tr
356
357
358 def test():
359 import sys, getopt, traceback
360 opts, args = getopt.getopt(sys.argv[1:], 'vt:')
361 verbose = 0
362 trusted = []
363 for o, a in opts:
364 if o == '-v':
365 verbose = verbose+1
366 if o == '-t':
367 trusted.append(a)
368 r = RExec(verbose=verbose)
369 if trusted:
370 r.ok_builtin_modules = r.ok_builtin_modules + tuple(trusted)
371 if args:
372 r.modules['sys'].argv = args
373 r.modules['sys'].path.insert(0, os.path.dirname(args[0]))
374 else:
375 r.modules['sys'].path.insert(0, "")
376 fp = sys.stdin
377 if args and args[0] != '-':
378 try:
379 fp = open(args[0])
380 except IOError, msg:
381 print "%s: can't open file %s" % (sys.argv[0], `args[0]`)
382 return 1
383 if fp.isatty():
384 print "*** RESTRICTED *** Python", sys.version
385 print sys.copyright
386 while 1:
387 try:
388 try:
389 s = raw_input('>>> ')
390 except EOFError:
391 print
392 break
393 if s and s[0] != '#':
394 s = s + '\n'
395 c = compile(s, '<stdin>', 'single')
396 r.s_exec(c)
397 except SystemExit, n:
398 return n
399 except:
400 traceback.print_exc()
401 else:
402 text = fp.read()
403 fp.close()
404 c = compile(text, fp.name, 'exec')
405 try:
406 r.s_exec(c)
407 except SystemExit, n:
408 return n
409 except:
410 traceback.print_exc()
411 return 1
412
413
414 if __name__ == '__main__':
415 sys.exit(test())