bpo-41162: Clear audit hooks after destructors #21222
Conversation
|
Although calling I think it's better to remove the global hook after the interpreter hook? |
| /* Both _PySys_ClearAuditHooks function and users still need PyObject, | ||
| such as tuple. */ | ||
| if (is_main_interp) { | ||
| _PySys_ClearAuditHooks(tstate); |
There was a problem hiding this comment.
It would be safer to call it after PyInterpreterState_Delete(). It requires to simplify _PySys_ClearAuditHooks() to only access _PyRuntime: don't call _PySys_Audit() anymore, and avoid PyThreadState * since it doesn't exist anymore after PyInterpreterState_Delete().
After PyInterpreterState_Delete() is called, it's no longer possible to execute Python code.
I suggest to move the call in Py_Finalize() after finalize_interp_delete() call.
There was a problem hiding this comment.
That means we also need to change pep-0578. C-level hook removal won't cause sys._clearaudithooks event.
I think there is no chance for pure python code to execute code in this patch.
...Or maybe they change object in finalize_interp_types with ctypes.
If it's possible to execute Python code in this place, should we also redesign interpreter hook removal opportunity?
There was a problem hiding this comment.
The hook can (and will) do anything, but the more important issue is that PySys_Audit will create a tuple object, which can't be allowed after finalization. And we can't change the API to allow passing NULL for args at this stage.
After doing my own experimentation, this is the best place to put it.
It seems safer to me to remove the https://bugs.python.org/issue41162 is in contradiction with the |
|
I found |
|
The PEP only listed suggested events, not the official list. https://docs.python.org/3/library/audit_events.html is the reference. Also, I made these updates to --- a/Programs/_testembed.c
+++ b/Programs/_testembed.c
@@ -1112,8 +1112,11 @@ static int test_open_code_hook(void)
return result;
}
+static int _audit_hook_clear_count = 0;
+
static int _audit_hook(const char *event, PyObject *args, void *userdata)
{
+ assert(args && PyTuple_CheckExact(args));
if (strcmp(event, "_testembed.raise") == 0) {
PyErr_SetString(PyExc_RuntimeError, "Intentional error");
return -1;
@@ -1122,6 +1125,8 @@ static int _audit_hook(const char *event, PyObject *args, void *userdata)
return -1;
}
return 0;
+ } else if (strcmp(event, "cpython._PySys_ClearAuditHooks") == 0) {
+ _audit_hook_clear_count += 1;
}
return 0;
}
@@ -1167,6 +1172,9 @@ static int test_audit(void)
{
int result = _test_audit(42);
Py_Finalize();
+ if (_audit_hook_clear_count != 1) {
+ return 0x1000 | _audit_hook_clear_count;
+ }
return result;
} |
Test for ClearAudithooks has been moved to Programs/_testembed.c
|
Do we need more discussion about the security? |
|
@zkonge Probably, but let's do it on the issue tracker. PR discussions basically disappear after merging. |
|
@zkonge We will want a NEWS entry for this - click on Details for the failing check for instructions. I suggest: "Audit hooks are now cleared later during finalization to avoid missing events" |
|
Thanks for your guidance! |
|
Sorry, @zkonge and @zooba, I could not cleanly backport this to |
|
Sorry @zkonge and @zooba, I had trouble checking out the |
|
Thanks for the contribution! If you've got other ideas about how to make stuff happen after hooks are cleaned up, please post them on the bug so we can figure out how to detect them. |
|
GH-21302 is a backport of this pull request to the 3.9 branch. |
Co-authored-by: Konge <[email protected]>
Co-authored-by: Konge <[email protected]>
Co-authored-by: Konge <[email protected]>
https://bugs.python.org/issue41162