[issue37505] Early auditing broken

2021-10-20 Thread Christian Heimes 


Change by Christian Heimes :


--
versions: +Python 3.10, Python 3.11 -Python 3.8

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue37505] Early auditing broken

2019-07-09 Thread Steve Dower 


Steve Dower  added the comment:

Passing a NULL format string there means the same as passing NULL to 
PyObject_CallFunction(func, NULL) - no arguments, which results in an empty 
tuple being passed to the hooks.

Perhaps in the early cases we can pass NULL instead of a tuple? Maybe even 
assert when that case occurs and the event has parameters?

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue37505] Early auditing broken

2019-07-09 Thread Christian Heimes 


Christian Heimes  added the comment:

Some audit events are designed to work before the interpreter is fully 
initialized or already shut down. These events pass in NULL instead of a 
PyObject*.

Python/pystate.c:if (PySys_Audit("cpython.PyInterpreterState_New", NULL) < 
0) {
Python/pystate.c:if (PySys_Audit("cpython.PyInterpreterState_Clear", NULL) 
< 0) {
Python/sysmodule.c:PySys_Audit("cpython._PySys_ClearAuditHooks", NULL);

(They are also currently not documented)

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue37505] Early auditing broken

2019-07-05 Thread Christian Heimes 


Christian Heimes  added the comment:

The hooks are about auditing the behavior of an interpreter. It's not strictly 
tight to some attack scenario. I would find it useful to either get back the 
old behavior or to have some sort of event, which indicates the start of the 
auditing log.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue37505] Early auditing broken

2019-07-05 Thread STINNER Victor 


STINNER Victor  added the comment:

PySys_Audit() exit immediately if ts=NULL:

/* Early exit when no hooks are registered */
if (!should_audit(ts)) {
return 0;
}

It exits before calling:

/* Dtrace USDT point */
if (dtrace) {
PyDTrace_AUDIT(event, (void *)eventArgs);
}

where eventArgs is the tuple.

Do you really care of getting an audit event when the *main* interpreter is 
created? It doesn't sound like an attack vector to start Python, no? If you 
need an event "Python started", we can add one later, when the PySys_Audit() is 
usable.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue37505] Early auditing broken

2019-07-05 Thread Steve Dower 


Steve Dower  added the comment:

Yeah, at some point we had to add an initialization check to the audit calls 
because of the tuple, so it essentially became a subinterpreter event but not 
the main one.

But I thought the dtrace call happened before that check? Looking through the 
linked commit, apparently not, but I don't actually recall right now why and I 
can't quite see enough context. Did we need the tuple there too?

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue37505] Early auditing broken

2019-07-05 Thread STINNER Victor 


STINNER Victor  added the comment:

I don't see how the first call to PyInterpreterState_New() can be audited: 
PySys_Audit() builds a tuple to call hooks, but there is no interpreter yet, so 
we cannot even build tuples.

Are you talking about the "main" interpreter, or sub-interpreters?

I'm surprised that it worked previously for the main interpreter.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue37505] Early auditing broken

2019-07-05 Thread Christian Heimes 


Christian Heimes  added the comment:

3.8.0b1 is also broken, so it may have been a different commit. I'm sure that I 
was able to see interpreter initialization with dtrace hooks.

# audit.stp
probe process("/usr/lib64/libpython3.8.*").provider("python").mark("audit") {
printf("%s\n", user_string($arg1))
}

$ sudo stap audit.stp -c python3.8

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue37505] Early auditing broken

2019-07-05 Thread STINNER Victor 


STINNER Victor  added the comment:

Oh. How can I reproduce this issue?

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue37505] Early auditing broken

2019-07-05 Thread Christian Heimes 


New submission from Christian Heimes :

I think that commit 838f26402de82640698c38ea9d2be65c6cf780d6 / bpo-36710 broke 
auditing for early events. I'm no longer seeing early events like 
cpython.PyInterpreterState_New. The first event is an import event without 
interpreter state.

--
components: Interpreter Core
messages: 347334
nosy: christian.heimes, steve.dower, vstinner
priority: normal
severity: normal
status: open
title: Early auditing broken
type: security
versions: Python 3.8, Python 3.9

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com