Security Enhancements for Python scripts - seccomp.py

seccomp.py:

seccomp.py is a script that wraps python scripts into a seccomp sandbox when called as a function in your scripts. Its goal is to use Python’s C interface to call on seccomp to further confine scripts.

It is one small and simple script but it is not included in Debian.
If it works then “forking” and using it might be worth it.

References:
[1] http://pythonsweetness.tumblr.com/post/65442885019/secure-low-overhead-eval-sandbox-in-80-lines-of-python
[2] scratch/seccomp.py at master · dw/scratch · GitHub

Troubadour is the seccomp script useful in anyway for your packages?

To install dependencies:

sudo apt-get install python-cffi python-prctl

Wondering about two things:

  • If such a module (seccomp.py) is already available in Debian.
  • If seccomp.py was still useful if we were using pypy. (Whonix Forum)

What I find strange is, that apparently (almost) no one on the internet is discussing and/or using some form of python seccomp.

Ticket:
https://phabricator.whonix.org/T128

Usage example:

[hr]

Maybe a better search term:
“python” “import seccomp”

[hr]

There is another issue with secomp.py. It’s not Free Software yet. There is no license file in the repository. Contacted the author. Used e-mail address that was used for the git commits in that repository.

seccomp.py license
Hi!

I am wondering about the license of the repository that hosts scratch/seccomp.py at master · dw/scratch · GitHub - could you clarify the license please by adding a license file?

Cheers,
Patrick

License issue has been fixed:

Preparing a draft, asking David, autor of secomp.py.

seccomp.py questions
Hi David!

Would it be useful to combine pypy with seccomp.py?

With it be useful to combine pypy sandbox with seccomp.py?

Do you know any usage examples of seccomp.py?

Why is there no existing python library for this feature? One could
assume, that this is quite popular and installable from mainstream
distributions such as Debian?

Anything else you would like to add?

By replying to this mail, your answer will be posted on the whonix-devel
public mailing list, so all of our python coders can benefit from your
answer.

Cheers,
Patrick