How can you security-harden a Python program?

614 views Asked by At

What is best way to restrict/sandbox a Python program?

How can I restrict a Python program to only be able to access one website and print to stdout?

I am using pyseccomp to restrict the list of syscalls the program can make, but am finding very little documentation online and had to whitelist 32 syscalls to make the program work (including unrestricted write() and openat() restricted to readonly (but I'm not aware of a way to restrict it to specific paths).

Is seccomp the right tool for this purpose? I.e. is it the most secure with the limitation of small overhead (e.g. can't add several seconds, hundreds of MBs of RAM, or libraries that cannot be installed with pip3). Is there a better tool that allows Python to read libraries only, but not other files?


My program uses pandas.read_html to parse a table from a website, I then have a function that sanitizes the data (filters out any entries that don't match a RegEx using re.match(...)) before printing it to stdout. It will always run on Linux.

1

There are 1 answers

1
top talent On

you try to install this module

pip install pyseccomp
import pyseccomp