Securing arbitrary code execution in Rust
I have a Rust application receiving a lot of data. The programmer can make different Python files to test different algorithms on that same data. He uploads the Python file and in Rust the Python-file is executed using PyO3.
So the purpose of the Rust application is to execute arbitrary Python code, it is an internal application so normally all the users are trusted. But still, this needs to be secured somehow.
Is there a way of securing this? I thought about sandboxing or virtualizing the Python files using venv or something, but the problem is that the files are not executed with a Python interpreter but rather by Rust. Is there maybe something on the OS-level (Linux) I could do?
The executed Python file should not be able to read or write anything on the system or make a connection of any kind to an external source. It is purely to analyze data. So maybe I could import popular mathematical libraries when interpreting the Python files in Rust and disallow any other import? And blacklist words like "import", "os", "exec",...
