Disabling std. and file I/O in Python sandbox implementation

Question

I'm trying to set up a Python sandbox and want to forbid access to standard and file I/O. I am running the sandbox inside of a running Python server.

I've already looked at modules like RestrictedPython and PyPy; however, I want to be able to compile the sandbox code inside of my running Python server, not through an external process.

Are there any alternative ways to prevent access to commands like print, raw_input, or open? Could the aforementioned modules be used in a way where sandbox code is compiled in a running Python program?

At worst, how would you prevent access to raw_input?

EDIT: According to this tutorial on safely evaluating Python code, would it be possible to pass in a manipulated builtins module?

Answer 1

The rough consensus on this is that the complexity and introspection abilities of CPython make for unreliable attempts of blacklisting parts of the interpreter. I believe one of the major attempts was tav's safelite. It's also not that hard to cause CPython to crash, which opens another path to be exploited from running arbitrary code. Avoiding resource exhaustion or CPU-use DoS from arbitrary code is probably impossible to do in-process (you'd need a watchdog, system limits, etc.).

Something crucial for people wanting to have sandboxed code execution in Python is to avoid rolling your own (or simply modifying sys, __builtins__): it's very easy to convince yourself it's rock solid and yet miss some obvious workaround that bypasses your protection. Keep in mind Python used to include a module that offered this kind of protection and even that had glaring issues that allowed to escape its restrictions. IIRC, it was vulnerable to fishing non-restricted objects (via introspection) into the restricted environment.

That said, pysandbox is written by a core Python developer who believes it to be safe when restricting e.g. IO (and it incorporates a lot of previous research) and can run in-process like you want (albeit with a few less features, like DoS protections from CPU and memory use).