STINNER Victor added the comment:

I modified Python 3.5, 3.6 and 3.7 to fall back on reading /dev/urandom when 
getrandom() syscall fails with EPERM.

Thanks for the bug report iwings!

Note: Python 2.7 does not use getrandom() and so is not impacted.

> Did you open a bug with your vendor, too? QNAP is clearly violating Kernel 
> APIs. getrandom() is not suppose to fail with EPERM.

I don't know if it can be seen as a violation of the Kernel API, but at least, 
it doesn't seem to be something smart to block getrandom() syscall. getrandom() 
was designed to enhance the security of applications ;-)

> With #27778 implemented, there's also the question of how os.getrandom() will 
> react to security policies that restrict access to the getrandom syscalls (vs 
> just not having it available in the kernel).

This is no question: os.getrandom() of Python 3.6 is a thin wrapper on the 
syscall. If the syscall fails, the Python function raises an exception ;-) 
OSError(EPERM) on this case.

resolution:  -> fixed
status: open -> closed
versions: +Python 3.7 -Python 2.7

Python tracker <>
Python-bugs-list mailing list

Reply via email to