Restricted Execution Mode

Python's Restricted Execution Mode is designed primarily to make it impossible for applets to modify the file system or run arbitrary other programs. It currently cannot completely prevent applets from crashing the Grail browser or from using inordinate amounts of resources like memory, CPU cycles or screen real estate. These problems will be addressed in the near future. Currently, users can prevent malicious applets by avoiding untrusted sites, and they can contain the damage by killing the Grail application. See also this Security Warning.

The exact set of features available to code executed in restricted mode is mostly controlled by the code running in unrestricted mode (however, certain restrictions are enforced directly by the Python interpreter). The Python library comes with a default set-up, which is modified somewhat by Grail. The following list summarizes the restrictions set by Grail:

No sys.exc_type, sys.exc_value, sys.exc_traceback.
No sys.setprofile() or sys.settrace().
Manipulating sys.path may not have the desired effect.
The following built-in functions are missing: input(), raw_input().
The open() function is restricted: while it can (currently) read all files that are readable by the user who is running Grail, it can only write files in an area reserved for the applet group of which the applet is a member.
The os and posix modules are severely maimed; system(), popen(), fork(), the exec() family, unlink(), rename(), chdir(), mkdir(), rmdir(), open() and creat() are all missing, as well as some less well-known functions.
Several built-in modules are completely missing.
The Tkinter module (for Tk version 4.0 or higher) is available, but some functionality has been disabled: it is not possible to create new Tk interpreters with the Tk() class, and the Tcl commands exec, open and cd (and perhaps some others) have been deleted.

Language Changes

The following changes apply to the language itself (these are mostly intended to close up loopholes that would allow restricted programs to gain access to unrestricted modules):

Class objects are read-only, and their __dict__ attribute is unavailable.
Function objects don't have the func_globals attribute, and instance method objects don't have the im_instance attribute.
Modules don't have the __dict__ attribute.

Note that most standard library modules (those modules written in Python) are available normally; they are only restricted insofar as they rely on features or built-in modules or functions that are restricted.