Short term Python: Restrict Python to only execute OSTree provided files

[dustymabe]

Colin had an interesting suggestion in #32 (comment). His suggestion is that we can restrict python execution of random user scripts by:

• patching python to deny execution of any thing that doesn't live under /usr/

This allows us to achieve our #1 goal that we identified while we continue to work on the process of burning down our other python dependencies.

[dustymabe]

Discussed in the meeting this past wednesday:

AGREED: We are willing to try a 'restricted python' approach while
    we burndown python dependencies in parallel

[vstinner]

There are 2 PEPs which would allow that:

• https://www.python.org/dev/peps/pep-0551/
• https://www.python.org/dev/peps/pep-0578/

cc @tiran @zooba

[dustymabe]

There are 2 PEPs which would allow that:

i.e. by using the proposed spython to restrict what could run?

[arithx]

From a quick read through the PEPs I'm not sure that spython fits the exact use case. Ideally we'd want users to not be able to run anything through python (from either the command-line or scripts) and only provide python to packages that require it.

@vstinner is there some other mechanism in the spython proposal I'm missing that would allow us to have that sort of functionality?

[tiran]

Your use case can be implemented with PEP 578 and three custom hooks:

1. A custom verified open hook that verifies py/pyc imports
2. A custom cpython.dlopen audit hook that verifies extension modules
3. A setopencodehook hook to ensure that nobody can reset the custom verified open hook.

I'll work on a PoC.

[tiran]

CC @zooba

[zooba]

There are a couple of (Windows-specific) PoCs already at https://github.com/zooba/spython/ - happy to have more :)

spython is really just a substitution variable for "your own locked-down version of Python". It's not a real thing that you can just pick up and use. But with a bit of luck we'll get the PEP 578 APIs merged this week and then creating an spython looks like pretty straightforward embedding.

[ajeddeloh]

Also worth calling out it looks like we'll be able to ship without python at all (just pending the xfsprogs package split), so this is only relevant if we end up needing to pull it back in.

[ajeddeloh]

Closing as we're now no longer shipping python! Feel free to reopen later if needed.