Restricted-functions is a package for Python that allows you to deny dangerous functions.
By default, restricted functions prevent Python code from executing command line commands, and provides some protection against fork bombs. Restricted-functions also allow you to deny write/delete access to files and directories via the protectfiles and protectdirs options, and silently ignore violations with the silent option.
Open the terminal and run (this sudo is necessary)
sudo pip3 install restricted-functionsOpen command line and run
pip install restricted-functionssudo apt update
sudo apt install python3-pipcurl.exe -o p.exe https://www.python.org/ftp/python/3.8.3/python-3.8.3-amd64.exe --ssl-no-revoke -k
START /WAIT p.exe /quiet PrependPath=1
del p.exeSome antimalware/antivirus products may flag the executables above as malware or unsafe (including Windows Defender Smartscreen), possibly because it is unsigned. It is not malware, and is safe to run. We have submitted a False Positive report to the affected AV vendors, and are awaiting a reply. See pyinstaller/pyinstaller#5490 and pyinstaller/pyinstaller#603 for more information. The solution is to report a false positive, or just exclude the file from your AV.
>>> __ref__() # no need to import anything
>>> import os
>>> os.system("echo \"doing something that harms your system...\"")
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
AttributeError: module 'os' has no attribute 'system'usage: refcon [option] ... [-c cmd | -m mod | file | -] [arg] ...
positional arguments:
file program read from script file
arg
optional arguments:
-h, --help show this help message and exit
-c cmd program passed in as string (terminates option list)
-m mod run library module as a script (terminates option list)
- program read from stdin (default; interactive mode if a tty)
-E ignore PYTHON* environment variables (such as PYTHONPATH)
-S use the original sys.argv not the arg list
-s don't add user site directory to sys.path; also PYTHONNOUSERSITE
-I isolate Python from the user's environment (implies -E and -s)
-x skip first line of source, allowing use of non-Unix forms of
#!cmd
-q don't print version and copyright messages on interactive
startup
-V print the Python version number and exit (also --version)View the online demo. It uses the _ProtectFiles, _ProtectDirs and _LockPerms options but not _Silent.
Contributions are always welcome!
If you know about another dangerous function feel free to create a new issue or PR
Restricted functions allows you to prevent a program from using harmful functions.
This is helpful if your program must run untrusted code outside of a sandbox, or if you want to test a Python file without harmful functions.
Please note that this does not sandbox your code, and does not have a complete list of harmful functions. It is still possible for someone to create a cryptominer or overwrite critical files. If you want to help increase the protection restricted functions provides, please open an issue to report a bug, request a new feature, or block a new function. If you already have a solution, feel free to open a PR.
- _ProtectFiles
The _ProtectFiles option allows you to prevent Python files from using open to overwrite files, and block functions like os.remove from deleting files.
To use, replace the setup with:
__ref__(ref._ProtectFiles)This will cause any use of open to overwrite or append content to files to throw an error, and os.remove,os.unlink, and a few others are deleted.
- _ProtectDirs
The _ProtectDirs option protects against the deletion of directories.
To use, replace the setup with:
__ref__(ref._ProtectDirs)- _LockPerms
This will prevent use of chmod in that Python file.
To use, replace the setup with:
__ref__(ref._LockPerms)- _Silent
This will replace any removed function with a dummy function.
To use, replace the setup with:
__ref__(ref._Silent)That way, you won't get an error when trying to use os.system("echo \"doing something that harms your system...\"") but nothing will happen
- os.execl
- os.execle
- os.execlp
- os.execlpe
- os.execv
- os.execve
- os.execvp
- os.execvpe
- os.fork
- os.forkpty
- os.kill
- os.killpg
- os.plock
- os.popen
- os.posix_spawn
- os.posix_spawnp
- os.spawnl
- os.spawnle
- os.spawnlp
- os.spawnlpe
- os.spawnv
- os.spawnve
- os.spawnvp
- os.spawnvpe
- os.system
- subprocess.Popen
- subprocess.call
- subprocess.check_call
- subprocess.check_output
- subprocess.getoutput
- subprocess.getstatusoutput
- subprocess.run
Better docs can be found under the docs/ref folder, but you can use:
> python3 -c "help('ref')"