A system is provided to prevent unauthorized access to computer system resources. The system operates by receiving a section of programming language code to execute on a computer system. This programming language code includes a pragma that defines a set of resources that the programming language code has permission to access. The system analyzes the pragma to determine the set of resources. After analyzing the pragma, the system processes the programming language code in accordance with the pragma. The system can further process the program in accordance with the pragma involves creating a sandbox that includes the set of resources defined by the pragma. The system then executes the programming language code within the boundaries of the sandbox.