I wish python had proper sandbox configuration. This would be great for user defined scripts but only if I could disable filesystem and network syscalls for the user defined code.
I wish python had proper sandbox configuration. This would be great for user defined scripts but only if I could disable filesystem and network syscalls for the user defined code.
You could use starlark but I don't have context for what you're using Python for specifically. Starlark has stronger hermetic guarantee.
This uses UDS (Unix Domain Sockets) to communicate, which are file-like and can be mounted from the host filesystem inside a container.
As long as the socket is writable, the rest of the filesystem(s) don't have to be. Same goes for the networking, which can be very isolated and restricted.
It should be possible to do what you want.
chroot ? :)
Pretty sure chroot is not an isolation method, it's way too easy to bypass when used as such