How can you security-harden a Python program?
Question
What is best way to restrict/sandbox a Python program?
How can I restrict a Python program to only be able to access one website and print to stdout ?
I am using pyseccomp to restrict the list of syscalls the program can make, but am finding very little documentation online and had to whitelist 32 syscalls to make the program work (including unrestricted write() and openat() restricted to readonly (but I'm not aware of a way to restrict it to specific paths).
Is seccomp the right tool for this purpose? Ie is it the most secure with the limitation of small overhead (eg can't add several seconds, hundreds of MBs of RAM, or libraries that cannot be installed with pip3). Is there a better tool that allows Python to read libraries only, but not other files?
My program uses pandas.read_html to parse a table from a website, I then have a function that sanitizes the data (filters out any entries that don't match a RegEx using re.match(...) ) before printing it to stdout . It will always run on Linux.
1 answers
solution1
1 2021-05-18 19:30:00
you try to install this module
pip install pyseccomp
import pyseccomp
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.