|
|
|
|
|
|
by mhitza
695 days ago
|
|
|
> But then still there is no oracle to predict whether user-supplied [RestrictedPython] code never halts; so, without resource quotas from VMs or Containers, there is unmitigated risk of resource exhaustion from user-supplied and developer-signed code This is actually something I was interested in a while ago, but in Scheme. For example GNU Guile has such a facility built in [0], though with a caveat that if you're not careful what you expose you could still make yourself vulnerable to DoS attack (the memory exhaustion kind). But if you don't expose any facility that allows the untrusted user to make large allocations at a time (in a single call) you should be fine (fingers crossed). I don't see a reason why the same mechanics couldn't be implemented in Python. [0] https://www.gnu.org/software/guile/manual/html_node/Sandboxe... Edit: in some sense this restricted python stuff also reminds me of Safe Haskell (extension) [1], which came out a bit ahead of it's time and by this point almost forgotten about. Might become relevant again in the future. [1] https://begriffs.com/posts/2015-05-24-safe-haskell.html - better overview than the wiki page |
|
|
java -jar -Xms1024M -Xmx2048M -Xss1M example.jar
RAM and CPU and network IO cgroups are harder limits than a process's attempts to bound its own allocation with the VM.
TIL about hardened_malloc. Python doesn't have hardened_malloc, and IDK how configurable hardened_malloc is in terms of self-imposed process resource limits. FWIU hardened_malloc groups and thereby contains allocations by size. https://github.com/GrapheneOS/hardened_malloc
There is a reason that EVM and eWASM have costed opcodes and do not have socket libraries (blocking or async).
The default sys.setrecursionlimit() is 1000; so, 1000 times the unbounded stack size per frame: https://docs.python.org/3/library/sys.html#sys.setrecursionl...
Most (all?) algorithms can be rewritten with a stack instead of recursion, thereby avoiding per-frame stack overhead in languages without TCO Tail-Call Optimization like Python.
Kata containers or Gvisor or just RestrictedPython that doesn't run until it's checked into git [and optionally signed]?