STINNER Victor added the comment:
I modified Python 3.5, 3.6 and 3.7 to fall back on reading /dev/urandom when
getrandom() syscall fails with EPERM.
Thanks for the bug report iwings!
Note: Python 2.7 does not use getrandom() and so is not impacted.
> Did you open a bug with your vendor, too? QNAP is clearly violating Kernel
> APIs. getrandom() is not suppose to fail with EPERM.
I don't know if it can be seen as a violation of the Kernel API, but at least,
it doesn't seem to be something smart to block getrandom() syscall. getrandom()
was designed to enhance the security of applications ;-)
> With #27778 implemented, there's also the question of how os.getrandom() will
> react to security policies that restrict access to the getrandom syscalls (vs
> just not having it available in the kernel).
This is no question: os.getrandom() of Python 3.6 is a thin wrapper on the
syscall. If the syscall fails, the Python function raises an exception ;-)
OSError(EPERM) on this case.
resolution: -> fixed
status: open -> closed
versions: +Python 3.7 -Python 2.7
Python tracker <rep...@bugs.python.org>
Python-bugs-list mailing list