예제 #1
0
def enable_sandbox(config):
    """Enable the sandbox based on the configuration.

  This includes installing import hooks to restrict access to C modules and
  stub out functions that are not implemented in production, replacing the file
  builtins with read-only versions and add enabled libraries to the path.

  Args:
    config: The runtime_config_pb2.Config to use to configure the sandbox.
  """

    devnull = open(os.path.devnull)
    modules = [os, traceback, google]
    c_module = _find_shared_object_c_module()
    if c_module:
        modules.append(c_module)
    module_paths = [module.__file__ for module in modules]
    module_paths.extend(
        [os.path.realpath(module.__file__) for module in modules])
    python_lib_paths = [config.application_root]
    for path in sys.path:
        if any(module_path.startswith(path) for module_path in module_paths):
            python_lib_paths.append(path)
    python_lib_paths.extend(_enable_libraries(config.libraries))
    # Note that the above code (see _find_shared_object_c_module) imports modules
    # that must be pruned so please use care if you move the call to
    # _prune_sys_modules.
    _prune_sys_modules()
    path_override_hook = PathOverrideImportHook(
        set(
            _THIRD_PARTY_LIBRARY_NAME_OVERRIDES.get(lib.name, lib.name)
            for lib in config.libraries).intersection(_C_MODULES))
    python_lib_paths.extend(path_override_hook.extra_sys_paths)
    if not config.vm:
        _install_fake_file(config, python_lib_paths, path_override_hook)
        _install_open_hooks()
    sys.platform = 'linux3'
    _install_import_hooks(config, path_override_hook)
    sys.path_importer_cache = {}
    sys.path = python_lib_paths[:]

    thread = __import__('thread')
    __import__('%s.threading' % dist27.__name__)
    threading = sys.modules['%s.threading' % dist27.__name__]
    thread.start_new_thread = _make_request_id_aware_start_new_thread(
        thread.start_new_thread)
    # This import needs to be after enabling the sandbox so it imports the
    # sandboxed version of the logging module.
    from google.appengine.runtime import runtime
    runtime.PatchStartNewThread(thread)
    threading._start_new_thread = thread.start_new_thread

    os.chdir(config.application_root)
    sandboxed_os = __import__('os')
    request_environment.PatchOsEnviron(sandboxed_os)
    os.__dict__.update(sandboxed_os.__dict__)
    _init_logging(config.stderr_log_level)
    pdb_sandbox.install(config)
    sys.stdin = devnull
    sys.stdout = sys.stderr
예제 #2
0
def enable_sandbox(config):
  """Enable the sandbox based on the configuration.

  This includes installing import hooks to restrict access to C modules and
  stub out functions that are not implemented in production, replacing the file
  builtins with read-only versions and add enabled libraries to the path.

  Args:
    config: The runtime_config_pb2.Config to use to configure the sandbox.
  """
  devnull = open(os.path.devnull)
  sys.platform = 'linux3'
  sys.meta_path = [
      PyCryptoRandomImportHook,
      ] + sys.meta_path
  app_root = config.application_root.decode()
  sys.path = [app_root] + sys.path

  thread = __import__('_thread')
  __import__('%s.threading' % dist27.__name__)
  threading = sys.modules['%s.threading' % dist27.__name__]
  thread.start_new_thread = _make_request_id_aware_start_new_thread(
      thread.start_new_thread)
  # This import needs to be after enabling the sandbox so it imports the
  # sandboxed version of the logging module.
  from google.appengine.runtime import runtime
  runtime.PatchStartNewThread(thread)
  threading._start_new_thread = thread.start_new_thread

  os.chdir(app_root)
  sandboxed_os = __import__('os')
  request_environment.PatchOsEnviron(sandboxed_os)
  os.__dict__.update(sandboxed_os.__dict__)
  _init_logging(config.stderr_log_level)
  pdb_sandbox.install(config)
  sys.stdin = devnull
  sys.stdout = sys.stderr
예제 #3
0
def enable_sandbox(config):
    """Enable the sandbox based on the configuration.

  This includes installing import hooks to restrict access to C modules and
  stub out functions that are not implemented in production, replacing the file
  builtins with read-only versions and add enabled libraries to the path.

  Args:
    config: The runtime_config_pb2.Config to use to configure the sandbox.
  """
    devnull = open(os.path.devnull)
    sys.platform = 'linux3'
    sys.meta_path = [
        PyCryptoRandomImportHook,
    ] + sys.meta_path
    app_root = config.application_root.decode()
    sys.path = [app_root] + sys.path

    thread = __import__('_thread')
    __import__('%s.threading' % dist27.__name__)
    threading = sys.modules['%s.threading' % dist27.__name__]
    thread.start_new_thread = _make_request_id_aware_start_new_thread(
        thread.start_new_thread)
    # This import needs to be after enabling the sandbox so it imports the
    # sandboxed version of the logging module.
    from google.appengine.runtime import runtime
    runtime.PatchStartNewThread(thread)
    threading._start_new_thread = thread.start_new_thread

    os.chdir(app_root)
    sandboxed_os = __import__('os')
    request_environment.PatchOsEnviron(sandboxed_os)
    os.__dict__.update(sandboxed_os.__dict__)
    _init_logging(config.stderr_log_level)
    pdb_sandbox.install(config)
    sys.stdin = devnull
    sys.stdout = sys.stderr
예제 #4
0
def enable_sandbox(config):
  """Enable the sandbox based on the configuration.

  This includes installing import hooks to restrict access to C modules and
  stub out functions that are not implemented in production, replacing the file
  builtins with read-only versions and add enabled libraries to the path.

  Args:
    config: The runtime_config_pb2.Config to use to configure the sandbox.
  """

  devnull = open(os.path.devnull)
  modules = [os, traceback, google, protorpc]
  c_module = _find_shared_object_c_module()
  if c_module:
    modules.append(c_module)
  module_paths = [module.__file__ for module in modules]
  module_paths.extend([os.path.realpath(module.__file__) for module in modules])
  python_lib_paths = [config.application_root]
  for path in sys.path:
    if any(module_path.startswith(path) for module_path in module_paths):
      python_lib_paths.append(path)
  python_lib_paths.extend(_enable_libraries(config.libraries))
  for name in list(sys.modules):
    if not _should_keep_module(name):
      _removed_modules.append(sys.modules[name])
      del sys.modules[name]
  path_override_hook = PathOverrideImportHook(
      set(_THIRD_PARTY_LIBRARY_NAME_OVERRIDES.get(lib.name, lib.name)
          for lib in config.libraries).intersection(_C_MODULES))
  python_lib_paths.extend(path_override_hook.extra_sys_paths)
  stubs.FakeFile.set_allowed_paths(config.application_root,
                                   python_lib_paths[1:] +
                                   path_override_hook.extra_accessible_paths)
  stubs.FakeFile.set_skip_files(config.skip_files)
  stubs.FakeFile.set_static_files(config.static_files)
  __builtin__.file = stubs.FakeFile
  __builtin__.open = stubs.FakeFile
  types.FileType = stubs.FakeFile
  sys.platform = 'linux3'
  enabled_library_regexes = [
      NAME_TO_CMODULE_WHITELIST_REGEX[lib.name] for lib in config.libraries
      if lib.name in NAME_TO_CMODULE_WHITELIST_REGEX]
  sys.meta_path = [
      StubModuleImportHook(),
      ModuleOverrideImportHook(_MODULE_OVERRIDE_POLICIES),
      BuiltinImportHook(),
      CModuleImportHook(enabled_library_regexes),
      path_override_hook,
      PyCryptoRandomImportHook,
      PathRestrictingImportHook(enabled_library_regexes)
      ]
  sys.path_importer_cache = {}
  sys.path = python_lib_paths[:]

  thread = __import__('thread')
  __import__('%s.threading' % dist27.__name__)
  threading = sys.modules['%s.threading' % dist27.__name__]
  thread.start_new_thread = _make_request_id_aware_start_new_thread(
      thread.start_new_thread)
  # This import needs to be after enabling the sandbox so it imports the
  # sandboxed version of the logging module.
  from google.appengine.runtime import runtime
  runtime.PatchStartNewThread(thread)
  threading._start_new_thread = thread.start_new_thread

  os.chdir(config.application_root)
  sandboxed_os = __import__('os')
  request_environment.PatchOsEnviron(sandboxed_os)
  os.__dict__.update(sandboxed_os.__dict__)
  _init_logging(config.stderr_log_level)
  pdb_sandbox.install()
  sys.stdin = devnull
  sys.stdout = sys.stderr
예제 #5
0
def enable_sandbox(config):
    """Enable the sandbox based on the configuration.

  This includes installing import hooks to restrict access to C modules and
  stub out functions that are not implemented in production, replacing the file
  builtins with read-only versions and add enabled libraries to the path.

  Args:
    config: The runtime_config_pb2.Config to use to configure the sandbox.
  """

    devnull = open(os.path.devnull)
    modules = [os, traceback, google]
    c_module = _find_shared_object_c_module()
    if c_module:
        modules.append(c_module)
    module_paths = [module.__file__ for module in modules]
    module_paths.extend([os.path.realpath(module.__file__) for module in modules])
    python_lib_paths = [config.application_root]
    for path in sys.path:
        if any(module_path.startswith(path) for module_path in module_paths):
            python_lib_paths.append(path)
    python_lib_paths.extend(_enable_libraries(config.libraries))
    # Note that the above code (see _find_shared_object_c_module) imports modules
    # that must be pruned so please use care if you move the call to
    # _prune_sys_modules.
    _prune_sys_modules()
    path_override_hook = PathOverrideImportHook(
        set(_THIRD_PARTY_LIBRARY_NAME_OVERRIDES.get(lib.name, lib.name) for lib in config.libraries).intersection(
            _C_MODULES
        )
    )
    python_lib_paths.extend(path_override_hook.extra_sys_paths)
    if not config.vm:
        _install_fake_file(config, python_lib_paths, path_override_hook)
        _install_open_hooks()
    sys.platform = "linux3"
    _install_import_hooks(config, path_override_hook)
    sys.path_importer_cache = {}
    if not config.vm:
        sys.path = python_lib_paths[:]
    else:
        # Use anything present on the sys.path if the runtime is on a vm.
        # This lets users use deps installed with pip.
        sys.path.extend(python_lib_paths)

    thread = __import__("thread")
    __import__("%s.threading" % dist27.__name__)
    threading = sys.modules["%s.threading" % dist27.__name__]
    thread.start_new_thread = _make_request_id_aware_start_new_thread(thread.start_new_thread)
    # This import needs to be after enabling the sandbox so it imports the
    # sandboxed version of the logging module.
    from google.appengine.runtime import runtime

    runtime.PatchStartNewThread(thread)
    threading._start_new_thread = thread.start_new_thread

    os.chdir(config.application_root)
    sandboxed_os = __import__("os")
    request_environment.PatchOsEnviron(sandboxed_os)
    os.__dict__.update(sandboxed_os.__dict__)
    _init_logging(config.stderr_log_level)
    pdb_sandbox.install(config)
    sys.stdin = devnull
    sys.stdout = sys.stderr
예제 #6
0
def enable_sandbox(config):
  """Enable the sandbox based on the configuration.

  This includes installing import hooks to restrict access to C modules and
  stub out functions that are not implemented in production, replacing the file
  builtins with read-only versions and add enabled libraries to the path.

  Args:
    config: The runtime_config_pb2.Config to use to configure the sandbox.
  """

  devnull = open(os.path.devnull)
  modules = [os, traceback, google]
  c_module = _find_shared_object_c_module()
  if c_module:
    modules.append(c_module)
  module_paths = [module.__file__ for module in modules]
  module_paths.extend([os.path.realpath(module.__file__) for module in modules])
  python_lib_paths = [config.application_root]
  for path in sys.path:
    if any(module_path.startswith(path) for module_path in module_paths):
      python_lib_paths.append(path)
  python_lib_paths.extend(_enable_libraries(config.libraries))
  for name in list(sys.modules):
    if not _should_keep_module(name):
      _removed_modules.append(sys.modules[name])
      del sys.modules[name]
  path_override_hook = PathOverrideImportHook(
      set(_THIRD_PARTY_LIBRARY_NAME_OVERRIDES.get(lib.name, lib.name)
          for lib in config.libraries).intersection(_C_MODULES))
  python_lib_paths.extend(path_override_hook.extra_sys_paths)
  stubs.FakeFile.set_allowed_paths(config.application_root,
                                   python_lib_paths[1:] +
                                   path_override_hook.extra_accessible_paths)
  stubs.FakeFile.set_skip_files(config.skip_files)
  stubs.FakeFile.set_static_files(config.static_files)
  __builtin__.file = stubs.FakeFile
  __builtin__.open = stubs.FakeFile
  types.FileType = stubs.FakeFile
  sys.platform = 'linux3'
  enabled_library_regexes = [
      NAME_TO_CMODULE_WHITELIST_REGEX[lib.name] for lib in config.libraries
      if lib.name in NAME_TO_CMODULE_WHITELIST_REGEX]
  sys.meta_path = [
      StubModuleImportHook(),
      ModuleOverrideImportHook(_MODULE_OVERRIDE_POLICIES),
      CModuleImportHook(enabled_library_regexes),
      path_override_hook,
      PyCryptoRandomImportHook,
      PathRestrictingImportHook(enabled_library_regexes)
      ]
  sys.path_importer_cache = {}
  sys.path = python_lib_paths[:]

  thread = __import__('thread')
  __import__('%s.threading' % dist27.__name__)
  threading = sys.modules['%s.threading' % dist27.__name__]
  thread.start_new_thread = _make_request_id_aware_start_new_thread(
      thread.start_new_thread)
  # This import needs to be after enabling the sandbox so it imports the
  # sandboxed version of the logging module.
  from google.appengine.runtime import runtime
  runtime.PatchStartNewThread(thread)
  threading._start_new_thread = thread.start_new_thread

  os.chdir(config.application_root)
  sandboxed_os = __import__('os')
  request_environment.PatchOsEnviron(sandboxed_os)
  os.__dict__.update(sandboxed_os.__dict__)
  _init_logging(config.stderr_log_level)
  pdb_sandbox.install(config)
  sys.stdin = devnull
  sys.stdout = sys.stderr
예제 #7
0
def enable_sandbox(config):
    """Enable the sandbox based on the configuration.

  This includes installing import hooks to restrict access to C modules and
  stub out functions that are not implemented in production, replacing the file
  builtins with read-only versions and add enabled libraries to the path.

  Args:
    config: The runtime_config_pb2.Config to use to configure the sandbox.
  """

    devnull = open(os.path.devnull)
    modules = [os, traceback, google]
    c_module = _find_shared_object_c_module()
    if c_module:
        modules.append(c_module)
    module_paths = [module.__file__ for module in modules]
    module_paths.extend(
        [os.path.realpath(module.__file__) for module in modules])
    python_lib_paths = [config.application_root]
    for path in sys.path:
        if any(module_path.startswith(path) for module_path in module_paths):
            python_lib_paths.append(path)
    python_lib_paths.extend(_enable_libraries(config.libraries))
    # Note that the above code (see _find_shared_object_c_module) imports modules
    # that must be pruned so please use care if you move the call to
    # _prune_sys_modules.
    _prune_sys_modules()
    path_override_hook = PathOverrideImportHook(
        THIRD_PARTY_C_MODULES.get_importable_module_names(config))
    python_lib_paths.extend(path_override_hook.extra_sys_paths)
    if not config.vm:
        _install_fake_file(config, python_lib_paths, path_override_hook)
        _install_open_hooks()

    # NOTE(bryanmau): The sys.platform was a hack needed to solve
    # b/7482060.  After python version 2.7.4 this is no longer needed.
    def was_created_before(ver1, ver2):
        """Returns true if the integer tuple ver1 is less than the tuple ver2."""
        if ver1[0] != ver2[0]:
            return ver1[0] < ver2[0]
        elif ver1[1] != ver2[1]:
            return ver1[1] < ver2[1]
        else:
            return ver1[2] < ver2[2]

    if was_created_before(sys.version_info, (2, 7, 4)):
        sys.platform = 'linux3'

    _install_import_hooks(config, path_override_hook)
    sys.path_importer_cache = {}
    if not config.vm:
        sys.path = python_lib_paths[:]
    else:
        # Use anything present on the sys.path if the runtime is on a vm.
        # This lets users use deps installed with pip.
        sys.path.extend(python_lib_paths)

    thread = __import__('thread')
    __import__('%s.threading' % dist27.__name__)
    threading = sys.modules['%s.threading' % dist27.__name__]
    thread.start_new_thread = _make_request_id_aware_start_new_thread(
        thread.start_new_thread)
    # This import needs to be after enabling the sandbox so it imports the
    # sandboxed version of the logging module.
    from google.appengine.runtime import runtime
    runtime.PatchStartNewThread(thread)
    threading._start_new_thread = thread.start_new_thread

    os.chdir(config.application_root)
    sandboxed_os = __import__('os')
    request_environment.PatchOsEnviron(sandboxed_os)
    os.__dict__.update(sandboxed_os.__dict__)
    _init_logging(config.stderr_log_level)
    pdb_sandbox.install(config)
    sys.stdin = devnull
    sys.stdout = sys.stderr
예제 #8
0
def enable_sandbox(config):
  """Enable the sandbox based on the configuration.

  This includes installing import hooks to restrict access to C modules and
  stub out functions that are not implemented in production, replacing the file
  builtins with read-only versions and add enabled libraries to the path.

  Args:
    config: The runtime_config_pb2.Config to use to configure the sandbox.
  """









  devnull = open(os.path.devnull)
  modules = [os, traceback, google]
  c_module = _find_shared_object_c_module()
  if c_module:
    modules.append(c_module)
  module_paths = [module.__file__ for module in modules]
  module_paths.extend([os.path.realpath(module.__file__) for module in modules])
  python_lib_paths = [config.application_root]
  for path in sys.path:
    if any(module_path.startswith(path) for module_path in module_paths):
      python_lib_paths.append(path)
  python_lib_paths.extend(_enable_libraries(config.libraries))
  # Note that the above code (see _find_shared_object_c_module) imports modules
  # that must be pruned so please use care if you move the call to
  # _prune_sys_modules.
  #
  # Also note that _prune_sys_modules may not make sense for non-CPython
  # environments, so in that situation, don't.
  if platform.python_implementation() == 'CPython':
    _prune_sys_modules()
  path_override_hook = PathOverrideImportHook(
      set(_THIRD_PARTY_LIBRARY_NAME_OVERRIDES.get(lib.name, lib.name)
          for lib in config.libraries).intersection(_C_MODULES))
  python_lib_paths.extend(path_override_hook.extra_sys_paths)
  if not config.vm:
    _install_fake_file(config, python_lib_paths, path_override_hook)
    _install_open_hooks()

  # NOTE(bryanmau): The sys.platform was a hack needed to solve
  # b/7482060.  After python version 2.7.4 this is no longer needed.
  def was_created_before(ver1, ver2):
    """Returns true if the integer tuple ver1 is less than the tuple ver2."""
    if ver1[0] != ver2[0]:
      return ver1[0] < ver2[0]
    elif ver1[1] != ver2[1]:
      return ver1[1] < ver2[1]
    else:
      return ver1[2] < ver2[2]

  if was_created_before(sys.version_info, (2, 7, 4)):
    sys.platform = 'linux3'

  _install_import_hooks(config, path_override_hook)
  sys.path_importer_cache = {}
  if not config.vm:
    sys.path = python_lib_paths[:]
  else:
    # Use anything present on the sys.path if the runtime is on a vm.
    # This lets users use deps installed with pip.
    sys.path.extend(python_lib_paths)

  thread = __import__('thread')
  __import__('%s.threading' % dist27.__name__)
  threading = sys.modules['%s.threading' % dist27.__name__]
  thread.start_new_thread = _make_request_id_aware_start_new_thread(
      thread.start_new_thread)
  # This import needs to be after enabling the sandbox so it imports the
  # sandboxed version of the logging module.
  from google.appengine.runtime import runtime
  runtime.PatchStartNewThread(thread)
  threading._start_new_thread = thread.start_new_thread

  os.chdir(config.application_root)
  sandboxed_os = __import__('os')
  request_environment.PatchOsEnviron(sandboxed_os)
  os.__dict__.update(sandboxed_os.__dict__)
  _init_logging(config.stderr_log_level)
  pdb_sandbox.install(config)
  sys.stdin = devnull
  sys.stdout = sys.stderr