在沙盒 Pypy 中使用 socket 模块 [英] Using the socket module in sandboxed Pypy

问题描述

我试图允许使用 Pypy 沙盒的子进程使用有限的协议与父进程通信.

I'm attempting to allow a subprocess sandboxed with Pypy to communicate, using a limited protocol, with the parent process.

查看 Pypy 附带的 pypy/pypy/translator/sandbox/sandlib.py 的源代码后，似乎有一个 VirtualizedSocketProc 允许 os.open 调用打开套接字.我更改了代码的某些功能(例如，允许在有限端口上进行 TCP 连接)，但几乎没有更改.但是，我无法实际导入 Pypy 的 socket 模块，因为它需要一个不存在的 _socket 模块，该模块似乎位于代码的解释器级部分.

After reviewing the source code of the pypy/pypy/translator/sandbox/sandlib.py included with Pypy, it appears that there is a VirtualizedSocketProc that allows os.open calls to open sockets. I've changed some functionality of the code (for example, allowing TCP connections on limited ports), but very little has been changed. However, I'm unable to actually import Pypy's socket module because it requires a non-existent _socket module, which seems to be located in the interpreter-level parts of the code.

我正在尝试做的事情可行吗?如果是这样，我如何导入套接字模块?如果没有，我还能做什么?

Is what I'm trying to do feasible? If so, how do I import the socket module? If not, what else can I do?

推荐答案

我对此进行了进一步调查，似乎这是一个相当基本的问题.在库级别(在 lib 目录内)实现的 socket 模块本质上是 _socket 库的空壳，它是pypy/module 目录中定义的解释器级模块.对于不熟悉 PyPy 的人来说，可以导入的模块有两种，大致对应于 CPython 中的纯 Python 和 C 库.在库级别实现的模块可以很容易地包含在沙箱中，并且实际上包含在默认"pypy_interact 沙箱中.但是，在解释器级别编写的模块在沙箱中不可用.

I've investigated this further, and it appears that this is a fairly fundamental problem. The socket module, implemented at the library level (inside of the lib directories) is essentially an empty shell for the the _socket library, which is an interpreter-level module defined in the pypy/module directory. For those unfamiliar with PyPy, there are two types of modules that can be imported, roughly corresponding to the pure-Python and C libraries in CPython. Modules implemented at the library level can be included easily in the sandbox, and are in fact included in the "default" pypy_interact sandbox. However, modules written at the interpreter level are not available inside the sandbox.

由于这种关键的区别，我的方法似乎在根本上存在缺陷.相反，如果您遇到同样的问题，您可以考虑其他一些选项:

It seems that my approach was fundmanetaly flawed, because of this critical distinction. Instead, there are a few other options that you can consider, should you run into the same problem:

1. 直接使用 os.open 和以 tcp:// 开头的文件名.这实际上非常有效，也是我最喜欢的方法.
2. 实现您自己的socket 库.这当然不是可取的，但我相信创建一个相对空的套接字库是可能的，它简单地与沙箱控制器进行通信，如上所述包装套接字功能.甚至可以修改默认套接字库来实现这一点(例如，不包括_socket).

1. Use os.open directly with a filename beginning with tcp://. This actually works very well and is my favoured approach.
2. Implement your own socket library. This is certainly not preferable, but I believe that it would be possible to create a relatively empty socket library that simply communicates with the sandbox controller as above wrapping the socket functionality. It might even be possible to modify the default socket library to achieve this (without including _socket, for example).

这篇关于在沙盒 Pypy 中使用 socket 模块的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！