search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Files for 2.1b1 distribution.
[python/dscho.git] / Lib / rexec.py
blob6a7c2071a016d787b9ac98e86ebc6b0d56085f61
1 """Restricted execution facilities.
2
3 The class RExec exports methods r_exec(), r_eval(), r_execfile(), and
4 r_import(), which correspond roughly to the built-in operations
5 exec, eval(), execfile() and import, but executing the code in an
6 environment that only exposes those built-in operations that are
7 deemed safe. To this end, a modest collection of 'fake' modules is
8 created which mimics the standard modules by the same names. It is a
9 policy decision which built-in modules and operations are made
10 available; this module provides a reasonable default, but derived
11 classes can change the policies e.g. by overriding or extending class
12 variables like ok_builtin_modules or methods like make_sys().
13
14 XXX To do:
15 - r_open should allow writing tmp dir
16 - r_exec etc. with explicit globals/locals? (Use rexec("exec ... in ...")?)
17
18 """
19
20
21 import sys
22 import __builtin__
23 import os
24 import ihooks
25
26 __all__ = ["RExec"]
27
28 class FileBase:
29
30 ok_file_methods = ('fileno', 'flush', 'isatty', 'read', 'readline',
31 'readlines', 'seek', 'tell', 'write', 'writelines')
32
33
34 class FileWrapper(FileBase):
35
36 # XXX This is just like a Bastion -- should use that!
37
38 def __init__(self, f):
39 self.f = f
40 for m in self.ok_file_methods:
41 if not hasattr(self, m) and hasattr(f, m):
42 setattr(self, m, getattr(f, m))
43
44 def close(self):
45 self.flush()
46
47
48 TEMPLATE = """
49 def %s(self, *args):
50 return apply(getattr(self.mod, self.name).%s, args)
51 """
52
53 class FileDelegate(FileBase):
54
55 def __init__(self, mod, name):
56 self.mod = mod
57 self.name = name
58
59 for m in FileBase.ok_file_methods + ('close',):
60 exec TEMPLATE % (m, m)
61
62
63 class RHooks(ihooks.Hooks):
64
65 def __init__(self, *args):
66 # Hacks to support both old and new interfaces:
67 # old interface was RHooks(rexec[, verbose])
68 # new interface is RHooks([verbose])
69 verbose = 0
70 rexec = None
71 if args and type(args[-1]) == type(0):
72 verbose = args[-1]
73 args = args[:-1]
74 if args and hasattr(args[0], '__class__'):
75 rexec = args[0]
76 args = args[1:]
77 if args:
78 raise TypeError, "too many arguments"
79 ihooks.Hooks.__init__(self, verbose)
80 self.rexec = rexec
81
82 def set_rexec(self, rexec):
83 # Called by RExec instance to complete initialization
84 self.rexec = rexec
85
86 def is_builtin(self, name):
87 return self.rexec.is_builtin(name)
88
89 def init_builtin(self, name):
90 m = __import__(name)
91 return self.rexec.copy_except(m, ())
92
93 def init_frozen(self, name): raise SystemError, "don't use this"
94 def load_source(self, *args): raise SystemError, "don't use this"
95 def load_compiled(self, *args): raise SystemError, "don't use this"
96 def load_package(self, *args): raise SystemError, "don't use this"
97
98 def load_dynamic(self, name, filename, file):
99 return self.rexec.load_dynamic(name, filename, file)
100
101 def add_module(self, name):
102 return self.rexec.add_module(name)
103
104 def modules_dict(self):
105 return self.rexec.modules
106
107 def default_path(self):
108 return self.rexec.modules['sys'].path
109
110
111 # XXX Backwards compatibility
112 RModuleLoader = ihooks.FancyModuleLoader
113 RModuleImporter = ihooks.ModuleImporter
114
115
116 class RExec(ihooks._Verbose):
117
118 """Restricted Execution environment."""
119
120 ok_path = tuple(sys.path) # That's a policy decision
121
122 ok_builtin_modules = ('audioop', 'array', 'binascii',
123 'cmath', 'errno', 'imageop',
124 'marshal', 'math', 'md5', 'operator',
125 'parser', 'regex', 'pcre', 'rotor', 'select',
126 'strop', 'struct', 'time')
127
128 ok_posix_names = ('error', 'fstat', 'listdir', 'lstat', 'readlink',
129 'stat', 'times', 'uname', 'getpid', 'getppid',
130 'getcwd', 'getuid', 'getgid', 'geteuid', 'getegid')
131
132 ok_sys_names = ('ps1', 'ps2', 'copyright', 'version',
133 'platform', 'exit', 'maxint')
134
135 nok_builtin_names = ('open', 'reload', '__import__')
136
137 def __init__(self, hooks = None, verbose = 0):
138 ihooks._Verbose.__init__(self, verbose)
139 # XXX There's a circular reference here:
140 self.hooks = hooks or RHooks(verbose)
141 self.hooks.set_rexec(self)
142 self.modules = {}
143 self.ok_dynamic_modules = self.ok_builtin_modules
144 list = []
145 for mname in self.ok_builtin_modules:
146 if mname in sys.builtin_module_names:
147 list.append(mname)
148 self.ok_builtin_modules = tuple(list)
149 self.set_trusted_path()
150 self.make_builtin()
151 self.make_initial_modules()
152 # make_sys must be last because it adds the already created
153 # modules to its builtin_module_names
154 self.make_sys()
155 self.loader = RModuleLoader(self.hooks, verbose)
156 self.importer = RModuleImporter(self.loader, verbose)
157 # but since re isn't normally built-in, we can add it at the end;
158 # we need the imported to be set before this can be imported.
159 self.make_re()
160
161 def set_trusted_path(self):
162 # Set the path from which dynamic modules may be loaded.
163 # Those dynamic modules must also occur in ok_builtin_modules
164 self.trusted_path = filter(os.path.isabs, sys.path)
165
166 def load_dynamic(self, name, filename, file):
167 if name not in self.ok_dynamic_modules:
168 raise ImportError, "untrusted dynamic module: %s" % name
169 if sys.modules.has_key(name):
170 src = sys.modules[name]
171 else:
172 import imp
173 src = imp.load_dynamic(name, filename, file)
174 dst = self.copy_except(src, [])
175 return dst
176
177 def make_initial_modules(self):
178 self.make_main()
179 self.make_osname()
180
181 # Helpers for RHooks
182
183 def is_builtin(self, mname):
184 return mname in self.ok_builtin_modules
185
186 # The make_* methods create specific built-in modules
187
188 def make_builtin(self):
189 m = self.copy_except(__builtin__, self.nok_builtin_names)
190 m.__import__ = self.r_import
191 m.reload = self.r_reload
192 m.open = self.r_open
193
194 def make_main(self):
195 m = self.add_module('__main__')
196
197 def make_osname(self):
198 osname = os.name
199 src = __import__(osname)
200 dst = self.copy_only(src, self.ok_posix_names)
201 dst.environ = e = {}
202 for key, value in os.environ.items():
203 e[key] = value
204
205 def make_re(self):
206 dst = self.add_module("re")
207 src = self.r_import("pre")
208 for name in dir(src):
209 if name != "__name__":
210 setattr(dst, name, getattr(src, name))
211
212 def make_sys(self):
213 m = self.copy_only(sys, self.ok_sys_names)
214 m.modules = self.modules
215 m.argv = ['RESTRICTED']
216 m.path = map(None, self.ok_path)
217 m.exc_info = self.r_exc_info
218 m = self.modules['sys']
219 l = self.modules.keys() + list(self.ok_builtin_modules)
220 l.sort()
221 m.builtin_module_names = tuple(l)
222
223 # The copy_* methods copy existing modules with some changes
224
225 def copy_except(self, src, exceptions):
226 dst = self.copy_none(src)
227 for name in dir(src):
228 setattr(dst, name, getattr(src, name))
229 for name in exceptions:
230 try:
231 delattr(dst, name)
232 except AttributeError:
233 pass
234 return dst
235
236 def copy_only(self, src, names):
237 dst = self.copy_none(src)
238 for name in names:
239 try:
240 value = getattr(src, name)
241 except AttributeError:
242 continue
243 setattr(dst, name, value)
244 return dst
245
246 def copy_none(self, src):
247 m = self.add_module(src.__name__)
248 m.__doc__ = src.__doc__
249 return m
250
251 # Add a module -- return an existing module or create one
252
253 def add_module(self, mname):
254 if self.modules.has_key(mname):
255 return self.modules[mname]
256 self.modules[mname] = m = self.hooks.new_module(mname)
257 m.__builtins__ = self.modules['__builtin__']
258 return m
259
260 # The r* methods are public interfaces
261
262 def r_exec(self, code):
263 m = self.add_module('__main__')
264 exec code in m.__dict__
265
266 def r_eval(self, code):
267 m = self.add_module('__main__')
268 return eval(code, m.__dict__)
269
270 def r_execfile(self, file):
271 m = self.add_module('__main__')
272 return execfile(file, m.__dict__)
273
274 def r_import(self, mname, globals={}, locals={}, fromlist=[]):
275 return self.importer.import_module(mname, globals, locals, fromlist)
276
277 def r_reload(self, m):
278 return self.importer.reload(m)
279
280 def r_unload(self, m):
281 return self.importer.unload(m)
282
283 # The s_* methods are similar but also swap std{in,out,err}
284
285 def make_delegate_files(self):
286 s = self.modules['sys']
287 self.delegate_stdin = FileDelegate(s, 'stdin')
288 self.delegate_stdout = FileDelegate(s, 'stdout')
289 self.delegate_stderr = FileDelegate(s, 'stderr')
290 self.restricted_stdin = FileWrapper(sys.stdin)
291 self.restricted_stdout = FileWrapper(sys.stdout)
292 self.restricted_stderr = FileWrapper(sys.stderr)
293
294 def set_files(self):
295 if not hasattr(self, 'save_stdin'):
296 self.save_files()
297 if not hasattr(self, 'delegate_stdin'):
298 self.make_delegate_files()
299 s = self.modules['sys']
300 s.stdin = self.restricted_stdin
301 s.stdout = self.restricted_stdout
302 s.stderr = self.restricted_stderr
303 sys.stdin = self.delegate_stdin
304 sys.stdout = self.delegate_stdout
305 sys.stderr = self.delegate_stderr
306
307 def reset_files(self):
308 self.restore_files()
309 s = self.modules['sys']
310 self.restricted_stdin = s.stdin
311 self.restricted_stdout = s.stdout
312 self.restricted_stderr = s.stderr
313
314
315 def save_files(self):
316 self.save_stdin = sys.stdin
317 self.save_stdout = sys.stdout
318 self.save_stderr = sys.stderr
319
320 def restore_files(self):
321 sys.stdin = self.save_stdin
322 sys.stdout = self.save_stdout
323 sys.stderr = self.save_stderr
324
325 def s_apply(self, func, args=(), kw=None):
326 self.save_files()
327 try:
328 self.set_files()
329 if kw:
330 r = apply(func, args, kw)
331 else:
332 r = apply(func, args)
333 finally:
334 self.restore_files()
335
336 def s_exec(self, *args):
337 self.s_apply(self.r_exec, args)
338
339 def s_eval(self, *args):
340 self.s_apply(self.r_eval, args)
341
342 def s_execfile(self, *args):
343 self.s_apply(self.r_execfile, args)
344
345 def s_import(self, *args):
346 self.s_apply(self.r_import, args)
347
348 def s_reload(self, *args):
349 self.s_apply(self.r_reload, args)
350
351 def s_unload(self, *args):
352 self.s_apply(self.r_unload, args)
353
354 # Restricted open(...)
355
356 def r_open(self, file, mode='r', buf=-1):
357 if mode not in ('r', 'rb'):
358 raise IOError, "can't open files for writing in restricted mode"
359 return open(file, mode, buf)
360
361 # Restricted version of sys.exc_info()
362
363 def r_exc_info(self):
364 ty, va, tr = sys.exc_info()
365 tr = None
366 return ty, va, tr
367
368
369 def test():
370 import sys, getopt, traceback
371 opts, args = getopt.getopt(sys.argv[1:], 'vt:')
372 verbose = 0
373 trusted = []
374 for o, a in opts:
375 if o == '-v':
376 verbose = verbose+1
377 if o == '-t':
378 trusted.append(a)
379 r = RExec(verbose=verbose)
380 if trusted:
381 r.ok_builtin_modules = r.ok_builtin_modules + tuple(trusted)
382 if args:
383 r.modules['sys'].argv = args
384 r.modules['sys'].path.insert(0, os.path.dirname(args[0]))
385 else:
386 r.modules['sys'].path.insert(0, "")
387 fp = sys.stdin
388 if args and args[0] != '-':
389 try:
390 fp = open(args[0])
391 except IOError, msg:
392 print "%s: can't open file %s" % (sys.argv[0], `args[0]`)
393 return 1
394 if fp.isatty():
395 print "*** RESTRICTED *** Python", sys.version
396 print sys.copyright
397 while 1:
398 try:
399 try:
400 s = raw_input('>>> ')
401 except EOFError:
402 print
403 break
404 if s and s[0] != '#':
405 s = s + '\n'
406 c = compile(s, '<stdin>', 'single')
407 r.s_exec(c)
408 except SystemExit, n:
409 return n
410 except:
411 traceback.print_exc()
412 else:
413 text = fp.read()
414 fp.close()
415 c = compile(text, fp.name, 'exec')
416 try:
417 r.s_exec(c)
418 except SystemExit, n:
419 return n
420 except:
421 traceback.print_exc()
422 return 1
423
424
425 if __name__ == '__main__':
426 sys.exit(test())