[issue42800] Traceback objects allow accessing frame objects without triggering audit hooks

Change by Steve Dower : -- resolution: -> fixed stage: patch review -> resolved status: open -> closed ___ Python tracker ___ ___

[issue42800] Traceback objects allow accessing frame objects without triggering audit hooks

miss-islington added the comment: New changeset 8ab272f0f3dd7da44f8e21d2a5a39c2ab39490d6 by Miss Islington (bot) in branch '3.8': bpo-42800: Add audit events for f_code and tb_frame (GH-24182) https://github.com/python/cpython/commit/8ab272f0f3dd7da44f8e21d2a5a39c2ab39490d6 --

[issue42800] Traceback objects allow accessing frame objects without triggering audit hooks

Change by miss-islington : -- nosy: +miss-islington nosy_count: 6.0 -> 7.0 pull_requests: +24532 pull_request: https://github.com/python/cpython/pull/25849 ___ Python tracker

[issue42800] Traceback objects allow accessing frame objects without triggering audit hooks

Steve Dower added the comment: New changeset bb2f3ff7a8f0c3565ccc1946dba7e09a3f7dc209 by Steve Dower in branch '3.9': bpo-42800: Add audit events for f_code and tb_frame (GH-24182) https://github.com/python/cpython/commit/bb2f3ff7a8f0c3565ccc1946dba7e09a3f7dc209 --

[issue42800] Traceback objects allow accessing frame objects without triggering audit hooks

Steve Dower added the comment: The 3.9 backport is a bit different from what's in master, so would appreciate someone double-check it. It should go back to 3.8 just fine. -- ___ Python tracker

[issue42800] Traceback objects allow accessing frame objects without triggering audit hooks

Change by Steve Dower : -- pull_requests: +24428 pull_request: https://github.com/python/cpython/pull/25737 ___ Python tracker ___

[issue42800] Traceback objects allow accessing frame objects without triggering audit hooks

Steve Dower added the comment: New changeset 87655e2cf58c543914ea05ebe5a0377441da1ef2 by Steve Dower in branch 'master': bpo-42800: Rename AUDIT_READ to PY_AUDIT_READ (GH-25736) https://github.com/python/cpython/commit/87655e2cf58c543914ea05ebe5a0377441da1ef2 --

[issue42800] Traceback objects allow accessing frame objects without triggering audit hooks

Change by Steve Dower : -- pull_requests: +24427 pull_request: https://github.com/python/cpython/pull/25736 ___ Python tracker ___

[issue42800] Traceback objects allow accessing frame objects without triggering audit hooks

Steve Dower added the comment: Sure, I can do that. -- ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue42800] Traceback objects allow accessing frame objects without triggering audit hooks

STINNER Victor added the comment: Can you please rename AUDIT_READ to PY_AUDIT_READ? We should avoid adding symbols without Py/PY prefix to the Python C API. -- ___ Python tracker

[issue42800] Traceback objects allow accessing frame objects without triggering audit hooks

Steve Dower added the comment: New changeset 9a2c2a9ec3140b6c54c9ef9d994311f114128ee3 by Ryan Hileman in branch 'master': bpo-42800: add audit hooks for f_code and tb_frame (GH-24182) https://github.com/python/cpython/commit/9a2c2a9ec3140b6c54c9ef9d994311f114128ee3 --

[issue42800] Traceback objects allow accessing frame objects without triggering audit hooks

Steve Dower added the comment: Thanks for the ping. I'll try and check in later this week to finish it up. -- ___ Python tracker ___

[issue42800] Traceback objects allow accessing frame objects without triggering audit hooks

Ryan Hileman added the comment: > Sounds good to me. We can deprecate RESTRICTED with no intention to remove it, since it's documented. > Do you want to prepare a PR for this? In case you missed it, the attached PR 24182 as of commit d3e998b is based on the steps I listed - I moved all of

[issue42800] Traceback objects allow accessing frame objects without triggering audit hooks

Ryan Hileman added the comment: Just updated the PR with another much simpler attempt, using a new READ_AUDIT flag (aliased to READ_RESTRICTED, and newtypes documentation updated). I re-ran timings for the new build, and in all cases they match or slightly beat my previous reported timings.

[issue42800] Traceback objects allow accessing frame objects without triggering audit hooks

Steve Dower added the comment: > I think it could make sense to: > 1. Alias READ_RESTRICTED to a new READ_AUDIT flag and use the latter instead, > as it is more clear. > 2. Update the newtype docs to mention READ_AUDIT and remove documentation for > the the unused RESTRICTED flags. > 3.

[issue42800] Traceback objects allow accessing frame objects without triggering audit hooks

Ryan Hileman added the comment: I agree that READ_RESTRICTED would work, and I'm strongly in support of refactoring my patch around that kind of flag, as it simplifies it quite a bit and the if statement is already there. However, using the seemingly legacy RESTRICTED flag names for audit

[issue42800] Traceback objects allow accessing frame objects without triggering audit hooks

Steve Dower added the comment: I'm fine with either approach, though adding the READ_RESTRICTED flag would also be fine. The audit trailing leading to a bypass is very important, and traversing frames to find functions in their locals or closures is very useful. This is nothing like a

[issue42800] Traceback objects allow accessing frame objects without triggering audit hooks

Ryan Hileman added the comment: How's this for maintainable? https://github.com/lunixbochs/cpython/commit/2bf1cc93d19a49cbed09b45f7dbb00212229f0a1 -- ___ Python tracker ___

[issue42800] Traceback objects allow accessing frame objects without triggering audit hooks

Ryan Hileman added the comment: My understanding as per the outline in PEP 551 as well as PEP 578, is that the audit system is meant primarily to observe the behavior of code rather than to have good sandbox coverage / directly prevent behavior. I am using audit hooks to observe the

[issue42800] Traceback objects allow accessing frame objects without triggering audit hooks

Mark Shannon added the comment: If the point of the proposed change is not to deny access to globals, then what is the point of it? You say that this change is to "close a simpler gap in the audit system". What it is that the audit system is supposed to prevent, that is currently possible,

[issue42800] Traceback objects allow accessing frame objects without triggering audit hooks

Ryan Hileman added the comment: My personal motivation is not to unilaterally prevent access to globals, but to close a simpler gap in the audit system that affects a currently deployed high performance production system (which is not trying to be a sandbox). I am also already using a C

[issue42800] Traceback objects allow accessing frame objects without triggering audit hooks

Mark Shannon added the comment: I agree with Victor, we should not be attempting to build a sandbox. https://www.python.org/dev/peps/pep-0578/#why-not-a-sandbox Preventing access to global variables is next to impossible. Adding more and more hooks to prevent access to globals, merely adds

[issue42800] Traceback objects allow accessing frame objects without triggering audit hooks

Ryan Hileman added the comment: I just found out that generator object variants have their own code attributes. I investigated the stdlib usage and it seems to be for debug / dis only, so adding these attributes shouldn't impact performance. I updated the PR to now cover the following

[issue42800] Traceback objects allow accessing frame objects without triggering audit hooks

STINNER Victor added the comment: Aaaah, PR 24182 doesn't add a hook to object.__getattr__, but to the C getter functions on traceback and frame. That sounds more acceptable to me :-) These operations are uncommon and should not be part of "hot code" (critical for performance) unless you're

[issue42800] Traceback objects allow accessing frame objects without triggering audit hooks

Ryan Hileman added the comment: PR submitted, waiting on CLA process. I added documentation at the field sites, but the audit event table generation does not handle attributes or object.__getattr__ very well at all, so I'm not updating the audit table for now. The `.. audit-event::

[issue42800] Traceback objects allow accessing frame objects without triggering audit hooks

Change by Ryan Hileman : -- keywords: +patch pull_requests: +23010 stage: -> patch review pull_request: https://github.com/python/cpython/pull/24182 ___ Python tracker ___

[issue42800] Traceback objects allow accessing frame objects without triggering audit hooks

Ammar Askar added the comment: `tb_frame` is documented under https://docs.python.org/3/reference/datamodel.html > Special read-only attributes: tb_frame points to the execution frame of the > current level `tb_code` can similarly be documented here and the note about the audit event can

[issue42800] Traceback objects allow accessing frame objects without triggering audit hooks

Steve Dower added the comment: That's the same patch that I'd write, and I agree, we should hook this. If the fields are documented anywhere, we should add the audit event data to get them into the table in the docs. Otherwise, that patch looks good to me. --

[issue42800] Traceback objects allow accessing frame objects without triggering audit hooks

Ryan Hileman added the comment: Oops, by tb_code I meant traceback.tb_frame.f_code. So you can get to a frame from traceback.tb_frame (without triggering audit) or sys._getframe (which has an audit hook already), and you can get to __code__ from a frame via frame.f_code (without triggering

[issue42800] Traceback objects allow accessing frame objects without triggering audit hooks

Ryan Hileman added the comment: I'm definitely not proposing to hook all of object.__getattr__, as my intuition says that would be very slow. I simply refer to "object.__getattr__" as the event name used by a couple of rare event audit hooks. This is how getting __code__ is emitted:

[issue42800] Traceback objects allow accessing frame objects without triggering audit hooks

STINNER Victor added the comment: Even if no audit hook is registered, adding an audit event on a function has a cost on runtime performance. object.__getattr__() is a core Python function, if an event is added, we should properly measure the performance overhead to decide if it's

[issue42800] Traceback objects allow accessing frame objects without triggering audit hooks

STINNER Victor added the comment: I don't think that audit hooks should be seen as a way to build a robust sandbox. https://www.python.org/dev/peps/pep-0578/#why-not-a-sandbox -- ___ Python tracker

[issue42800] Traceback objects allow accessing frame objects without triggering audit hooks

Change by STINNER Victor : -- nosy: +vstinner ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue42800] Traceback objects allow accessing frame objects without triggering audit hooks

Ryan Hileman added the comment: traceback's `tb_code` attribute also allows you to bypass the `object.__getattr__` audit event for `__code__`. Perhaps accessing a traceback object's `tb_code` and `tb_frame` should both raise an `object.__getattr__` event? -- nosy: +lunixbochs2

[issue42800] Traceback objects allow accessing frame objects without triggering audit hooks

New submission from Ammar Askar : It is possible to access all the frame objects in the interpret without triggering any audit hooks through the use of exceptions. Namely, through the traceback's tb_frame property. Ordinarily one would trigger the "sys._current_frames" or "sys._getframe"