Creating Import Hooks

[Sreejith K]

Hi everyone,

I need to implement custom import hooks for an application (http://
www.python.org/dev/peps/pep-0302/). I want to restrict an application
to import certain modules (say socket module). Google app engine is
using a module hook to do this (HardenedModulesHook in google/
appengine/tools/dev_appserver.py). But I want to allow that
application to use an sdk module (custom) which imports and uses
socket module. But the module hook restricts the access by sdk.
Finding out, which file is importing a module give a solution?? ie. If
the application is importing socket module, I want to restrict it. But
if the sdk module is importing socket I want to allow it. Is there any
way I can do this ?

Application
========
import sdk
import socket # I dont want to allow this (need to raise
ImportError)

SDK
====
import socket # need to allow this

 

[Jonathan Gardner]

Hi everyone,

I need to implement custom import hooks for an application (http://www.python.org/dev/peps/pep-0302/). I want to restrict an application
to import certain modules (say socket module). Google app engine is
using a module hook to do this (HardenedModulesHook in google/
appengine/tools/dev_appserver.py). But I want to allow that
application to use an sdk module (custom) which imports and uses
socket module. But the module hook restricts the access by sdk.
Finding out, which file is importing a module give a solution?? ie. If
the application is importing socket module, I want to restrict it. But
if the sdk module is importing socket I want to allow it. Is there any
way I can do this ?

Application
========
import sdk
import socket               # I dont want to allow this (need to raise
ImportError)

SDK
====
import socket               # need to allow this

SDK
===
import socket

App
===
import SDK
import sys
socket = sys.modules['socket']

 

[Steven D'Aprano]

Hi everyone,

I need to implement custom import hooks for an application
(http://www.python.org/dev/peps/pep-0302/). I want to restrict an
application to import certain modules (say socket module). Google app
engine is using a module hook to do this (HardenedModulesHook in
google/ appengine/tools/dev_appserver.py). But I want to allow that
application to use an sdk module (custom) which imports and uses socket
module. But the module hook restricts the access by sdk. Finding out,
which file is importing a module give a solution?? ie. If the
application is importing socket module, I want to restrict it. But if
the sdk module is importing socket I want to allow it. Is there any way
I can do this ?

Application
========
import sdk
import socket               # I dont want to allow this (need to raise
ImportError)

SDK
====
import socket               # need to allow this

SDK
===
import socket

App
===
import SDK
import sys
socket = sys.modules['socket']

I'm not sure, but I think Sreejith wants to prohibit imports from the App
layer while allowing them from the SDK layer, not work around a
prohibition in the SDK layer.

In other words, he wants the import hook to do something like this:

if module is socket and the caller is not SKD:
prohibit
else
allow



I could be wrong of course.

 

[Sreejith K]

SDK
===
import socket

App
===
import SDK
import sys
socket = sys.modules['socket']

I'm not sure, but I think Sreejith wants to prohibit imports from the App
layer while allowing them from the SDK layer, not work around a
prohibition in the SDK layer.

In other words, he wants the import hook to do something like this:

if module is socket and the caller is not SKD:
    prohibit
else
    allow

I could be wrong of course.

@Steven, Thats exactly what I want.. Anyway to do that ??

 

[Jean-Michel Pichavant]

Hi everyone,

I need to implement custom import hooks for an application
(http://www.python.org/dev/peps/pep-0302/). I want to restrict an
application to import certain modules (say socket module). Google app
engine is using a module hook to do this (HardenedModulesHook in
google/ appengine/tools/dev_appserver.py). But I want to allow that
application to use an sdk module (custom) which imports and uses socket
module. But the module hook restricts the access by sdk. Finding out,
which file is importing a module give a solution?? ie. If the
application is importing socket module, I want to restrict it. But if
the sdk module is importing socket I want to allow it. Is there any way
I can do this ?

Application
========
import sdk
import socket # I dont want to allow this (need to raise
ImportError)

SDK
====
import socket # need to allow this

SDK
===
import socket

App
===
import SDK
import sys
socket = sys.modules['socket']

I'm not sure, but I think Sreejith wants to prohibit imports from the App
layer while allowing them from the SDK layer, not work around a
prohibition in the SDK layer.

In other words, he wants the import hook to do something like this:

if module is socket and the caller is not SKD:
prohibit
else
allow

I could be wrong of course.

@steven, Thats exactly what I want.. Anyway to do that ??

import sys
sys.modules['socket'] = None


import socket
---------------------------------------------------------------------------
ImportError Traceback (most recent call last)

ImportError: No module named socket


JM

 

[Sreejith K]

On Feb 18, 1:57 pm, Steven D'Aprano

On Thu, 18 Feb 2010 00:03:51 -0800, Jonathan Gardner wrote:
Hi everyone,
I need to implement custom import hooks for an application
(http://www.python.org/dev/peps/pep-0302/). I want to restrict an
application to import certain modules (say socket module). Google app
engine is using a module hook to do this (HardenedModulesHook in
google/ appengine/tools/dev_appserver.py). But I want to allow that
application to use an sdk module (custom) which imports and uses socket
module. But the module hook restricts the access by sdk. Finding out,
which file is importing a module give a solution?? ie. If the
application is importing socket module, I want to restrict it. But if
the sdk module is importing socket I want to allow it. Is there any way
I can do this ?
Application
========
import sdk
import socket               # I dont want to allow this (need to raise
ImportError)
SDK
====
import socket               # need to allow this
SDK
===
import socket
App
===
import SDK
import sys
socket = sys.modules['socket']
I'm not sure, but I think Sreejith wants to prohibit imports from the App
layer while allowing them from the SDK layer, not work around a
prohibition in the SDK layer.
In other words, he wants the import hook to do something like this:
if module is socket and the caller is not SKD:
    prohibit
else
    allow
I could be wrong of course.

@Steven, Thats exactly what I want.. Anyway to do that ??

import sys
sys.modules['socket'] = None

import socket
---------------------------------------------------------------------------
ImportError                               Traceback (most recent call last)

ImportError: No module named socket

JM

@Jean. Thanks for the reply. But this is not what I wanted. The import
hook already restricts socket imports in applications. But I want them
in sdk package (alone) which is being imported in the application. I
don't want applications to directly use the socket module. That means
I want to make some exceptions for sdk in import hooks.

 

[Jean-Michel Pichavant]

On Feb 18, 1:57 pm, Steven D'Aprano

On Thu, 18 Feb 2010 00:03:51 -0800, Jonathan Gardner wrote:


Hi everyone,

I need to implement custom import hooks for an application
(http://www.python.org/dev/peps/pep-0302/). I want to restrict an
application to import certain modules (say socket module). Google app
engine is using a module hook to do this (HardenedModulesHook in
google/ appengine/tools/dev_appserver.py). But I want to allow that
application to use an sdk module (custom) which imports and uses socket
module. But the module hook restricts the access by sdk. Finding out,
which file is importing a module give a solution?? ie. If the
application is importing socket module, I want to restrict it. But if
the sdk module is importing socket I want to allow it. Is there any way
I can do this ?

Application
========
import sdk
import socket # I dont want to allow this (need to raise
ImportError)

SDK
====
import socket # need to allow this

SDK
===
import socket

App
===
import SDK
import sys
socket = sys.modules['socket']

I'm not sure, but I think Sreejith wants to prohibit imports from the App
layer while allowing them from the SDK layer, not work around a
prohibition in the SDK layer.

In other words, he wants the import hook to do something like this:

if module is socket and the caller is not SKD:
prohibit
else
allow

I could be wrong of course.

import sys
sys.modules['socket'] = None

import socket
---------------------------------------------------------------------------
ImportError Traceback (most recent call last)

ImportError: No module named socket

JM

@Jean. Thanks for the reply. But this is not what I wanted. The import
hook already restricts socket imports in applications. But I want them
in sdk package (alone) which is being imported in the application. I
don't want applications to directly use the socket module. That means
I want to make some exceptions for sdk in import hooks.

give us your code (the hook import)

in your entry file:

import socket
import sys
sys.modules['sdkSocket'] = sys.modules['socket'] # allow to import
socket ad sdkSocket
sys.modules['socket'] = None # forbid to import socket
del socket

within your SDK:
import sdkSocket # actually the socket module

print sdkSocket.__file__
'/usr/lib/python2.5/socket.pyc'

JM

 

[Jonathan Gardner]

Hi everyone,
I need to implement custom import hooks for an application
(http://www.python.org/dev/peps/pep-0302/). I want to restrict an
application to import certain modules (say socket module). Google app
engine is using a module hook to do this (HardenedModulesHook in
google/ appengine/tools/dev_appserver.py). But I want to allow that
application to use an sdk module (custom) which imports and uses socket
module. But the module hook restricts the access by sdk. Finding out,
which file is importing a module give a solution?? ie. If the
application is importing socket module, I want to restrict it. But if
the sdk module is importing socket I want to allow it. Is there any way
I can do this ?
Application
========
import sdk
import socket               # I dont want to allow this (need to raise
ImportError)
SDK
====
import socket               # need to allow this
SDK
===
import socket
App
===
import SDK
import sys
socket = sys.modules['socket']

I'm not sure, but I think Sreejith wants to prohibit imports from the App
layer while allowing them from the SDK layer, not work around a
prohibition in the SDK layer.

In other words, he wants the import hook to do something like this:

if module is socket and the caller is not SKD:
    prohibit
else
    allow

I could be wrong of course.

@steven, Thats exactly what I want.. Anyway to do that ??

My point was that it's really pointless to try to enforce any such
thing on the program or programmer. There are ways around it. If you
don't want them to play with socket, write in the documentation:
"Don't play with the 'socket' module."

If you want to prevent them from touching sockets at all, it's time to
rethink your design. You may want to have a talk with Bruce Schneier,
or at least read what he's written if you still think you need to
somehow shut down a part of the system to its users.

Oftentimes, programmers think they need to have control over what
other people write, forgetting that they are able to do what they do
due to the freedoms afforded them. They also forget that they are not
in control of what other programmers do, anymore than a grocery store
who refuses to stock a certain product can prevent people from getting
that product.

Write your code to expand freedoms, not limit them. If your design
depends on limiting the choices of your users, you have done something
wrong.