Canonical boundary definition: see docs/threat-model.md (frozen baseline).

We assume the kernel and hardware are trusted and un‑compromised. Kernel exploits or speculative‑execution side channels are out of scope (see §6).

PyIsolate uses sub‑interpreters as execution cells for scheduling and lifecycle, while the actual security boundary is kernel/process level enforcement (cgroups, eBPF/LSM, and broker mediation). Sub‑interpreters alone are not treated as a hard isolation boundary in production.

1. Process containment — Guest code cannot execute syscalls outside the eBPF allow‑list.
2. Memory safety — Each interpreter is hard‑capped to its RAM quota at the allocator level; no guest can corrupt another’s heap.
3. Broker integrity & replay protection — All control‑plane frames are AEAD‑sealed (X25519 → ChaCha20‑Poly1305) with strictly increasing counters; forged or replayed frames are dropped.
4. Policy hot‑reload atomicity — Policy updates are applied with a RCU‑style swap; a sandbox sees either the old or the new rule‑set, never a mix.
5. Crash isolation — Double‑faulting or segfault‑inducing code inside a sandboxed thread cannot bring down the supervisor (guarded by pthread_sigmask & alt‑stack guards).

Anything not listed above is not guaranteed.

• LSM hooks (file_open, inode_unlink, socket_connect) — path‑aware FS & net gating.
• cgroup programs — per‑sandbox memory (cgroup/mem), CPU (perf‑event) & bandwidth limits.
• Tracepoint programs — instant kill on execve, ptrace, bpf(), or other high‑risk syscalls.

• No‑GIL build — removes the global interpreter lock; each sandbox runs on its own OS thread.
• Per‑interpreter arenas — allocator instances are never shared; freelists are local.
• Stack canaries — CPython compiled with -fstack-protector-strong.
• Control‑flow integrity — built with -fsanitize=cfi to detect code‑reuse attacks.
• Builtin shrink‑wrap — __import__, open, ctypes, cffi, dlopen, mmap, and pickle removed unless explicitly re‑enabled via policy.

• Noise‑like 1‑RTT handshake: X25519 + optional Kyber‑768 hybrid → HKDF‑SHA‑256.
• Per‑frame AEAD: ChaCha20‑Poly1305 (96‑bit nonce, 16‑byte tag).
• 64‑bit monotone counter, stored in a lock‑free slab per channel; any rollback closes the channel.
• Keys can be rotated by repeating the handshake; counters reset on success.

• Reads a perf‑ring buffer from resource_guard.bpf; sends SIGXCPU or SIGTERM on quota breach.
• Fail‑closed: if the ringbuffer stalls → sandbox thread is cancelled.

1. Sub‑interpreter: execution cell only.
2. Thread: scheduling/accounting unit.
3. Process + kernel policy: primary production security boundary.
4. Container/microVM: stronger boundary and recommended fallback for hostile multi‑tenant environments.

• Linux ≥ 6.6 (BPF‑LSM + BPF tokens). CO‑RE objects ensure portability.
• x86‑64 & aarch64 tested in CI.
• cBPF‑only kernels → fallback to Landlock + rlimit mode (reduced guarantees).

1. Reproducible builds — nix flake and Dockerfile produce identical SHA‑256 artefacts.
2. Statically‑linked libsodium — version pinned; signatures verified.
3. eBPF bytecode — compiled with clang‑17, stripped, SHA‑256 recorded in bpf/manifest.lock.
4. GitHub Actions — signed artefacts (cosign), provenance uploaded to Supply‑Chain Levels for Software Artifacts (SLSA) workflow.

Email: security@pyisolate.dev (GPG key 0xBEEFDEADCAFEBABE).

We follow RFC 9116: ├── /.well‑known/security.txt with contact & encryption info.

Q: Why not seccomp only? A: eBPF‑LSM lets us filter on path & arguments, not just syscall numbers. See Design.

Q: Does crypto add noticeable latency? A: Handshake ≈ 18 µs; per‑frame overhead < 400 ns on AVX2.

Q: Can I disable the broker and talk directly to the FS? A: No. That defeats the trust boundary. Write a plugin that proxies the operation through approved opcodes.