cpython icon indicating copy to clipboard operation
cpython copied to clipboard

Published 20 hours ago verified publisher icon python

GH-115322: Add missing audit hooks

Open RobinJadoul opened this issue 1 year ago • 2 comments
trafficstars

GH-115322: Add missing audit hooks

I've left out the potential ctypes.cdata/function event for now, as constructing a function without notice is not as bad when you cannot call it without audit hook anymore. Calling some functions in ctypes (as far as I can see: (w)string_at) now have two associated hooks, going first through the generic ctypes.call_function and then their preexisting specific hook (ctypes.(w)string_at). It would be nice to associated a ctypes.call_function with its function name, but this isn't possible in general (as you could technically call into arbitrary addresses), and I couldn't find a nice way to do it even in the "nice" case.

For _posixsubprocess.fork_exec, I instead opted to introduce a new event of its own, as wrangling the slightly weird setup with executable_list and passing env as a list rather than the usual dict makes it more annoying to (cheaply) map onto the semantics of the existing events. If constructing an explicit dict or passing an env list to those would be prefered, it should be possible to assume the worst case for the executable_list and do a hook for each element. In the "normal" case, going through multiprocessing.util.spawnv_passfds, only a single element would be passed either way.

readline has a few of its own problems, mostly when dealing with filename arguments being set to None. For the *_history_file functions, I opted to hardcode the ~/.history path that can also be found in the documentation, even though the logic inside readline is slightly more elaborate, e.g. finding a different path when on windows, and expanding out the home directory. For read_init_file(None), the logic is even more convoluted, and pointing out the exact path would require replicating it and keeping up with any possible future updates. Instead, I chose to represent this by <readline_init_file>.

📚 Documentation preview 📚: https://cpython-previews--115624.org.readthedocs.build/

RobinJadoul avatar Feb 18 '24 02:02 RobinJadoul

All commit authors signed the Contributor License Agreement.
CLA signed

cpython-cla-bot[bot] avatar Feb 18 '24 02:02 cpython-cla-bot[bot]

Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool.

If this change has little impact on Python users, wait for a maintainer to apply the skip news label instead.

bedevere-app[bot] avatar Feb 18 '24 02:02 bedevere-app[bot]