Restricted Execution Mode
Python's Restricted Execution Mode is designed primarily to make
it impossible for applets to modify the file system or run arbitrary
other programs. It currently cannot completely prevent applets from
crashing the Grail browser or from using inordinate amounts of
resources like memory, CPU cycles or screen real estate. These
problems will be addressed in the near future. Currently, users can
prevent malicious applets by avoiding untrusted sites, and they can
contain the damage by killing the Grail application. See also this Security Warning.
The exact set of features available to code executed in restricted
mode is mostly controlled by the code running in unrestricted mode
(however, certain restrictions are enforced
directly by the Python interpreter). The Python library comes with a
default set-up, which is modified somewhat by Grail. The following
list summarizes the restrictions set by Grail:
- No sys.exc_type, sys.exc_value, sys.exc_traceback.
- No sys.setprofile() or sys.settrace().
- Manipulating sys.path may not have the desired effect.
- The following built-in functions are missing: input(),
raw_input().
- The open() function is restricted: while it can (currently) read
all files that are readable by the user who is running Grail, it can
only write files in an area reserved for the applet group of which the
applet is a member.
- The os and posix modules are severely maimed; system(), popen(),
fork(), the exec() family, unlink(), rename(), chdir(), mkdir(),
rmdir(), open() and creat() are all missing, as well as some less
well-known functions.
- Several built-in modules are completely missing.
- The Tkinter module (for Tk version 4.0 or higher) is available, but some
functionality has been disabled: it is not possible to create new Tk
interpreters with the Tk() class, and the Tcl commands exec, open and
cd (and perhaps some others) have been deleted.
The following changes apply to the language itself (these are mostly
intended to close up loopholes that would allow restricted programs to
gain access to unrestricted modules):
- Class objects are read-only, and their __dict__ attribute is unavailable.
- Function objects don't have the func_globals attribute, and
instance method objects don't have the im_instance attribute.
- Modules don't have the __dict__ attribute.
Note that most standard library modules (those modules written in
Python) are available normally; they are only restricted insofar as
they rely on features or built-in modules or functions that are
restricted.