[issue37505] Early auditing broken

2021-10-20 Thread Christian Heimes
Change by Christian Heimes : -- versions: +Python 3.10, Python 3.11 -Python 3.8 ___ Python tracker ___ ___ Python-bugs-list mailing

[issue37505] Early auditing broken

2019-07-09 Thread Steve Dower
Steve Dower added the comment: Passing a NULL format string there means the same as passing NULL to PyObject_CallFunction(func, NULL) - no arguments, which results in an empty tuple being passed to the hooks. Perhaps in the early cases we can pass NULL instead of a tuple? Maybe even assert

[issue37505] Early auditing broken

2019-07-09 Thread Christian Heimes
Christian Heimes added the comment: Some audit events are designed to work before the interpreter is fully initialized or already shut down. These events pass in NULL instead of a PyObject*. Python/pystate.c:if (PySys_Audit("cpython.PyInterpreterState_New", NULL) < 0) {

[issue37505] Early auditing broken

2019-07-05 Thread Christian Heimes
Christian Heimes added the comment: The hooks are about auditing the behavior of an interpreter. It's not strictly tight to some attack scenario. I would find it useful to either get back the old behavior or to have some sort of event, which indicates the start of the auditing log.

[issue37505] Early auditing broken

2019-07-05 Thread STINNER Victor
STINNER Victor added the comment: PySys_Audit() exit immediately if ts=NULL: /* Early exit when no hooks are registered */ if (!should_audit(ts)) { return 0; } It exits before calling: /* Dtrace USDT point */ if (dtrace) { PyDTrace_AUDIT(event, (void

[issue37505] Early auditing broken

2019-07-05 Thread Steve Dower
Steve Dower added the comment: Yeah, at some point we had to add an initialization check to the audit calls because of the tuple, so it essentially became a subinterpreter event but not the main one. But I thought the dtrace call happened before that check? Looking through the linked

[issue37505] Early auditing broken

2019-07-05 Thread STINNER Victor
STINNER Victor added the comment: I don't see how the first call to PyInterpreterState_New() can be audited: PySys_Audit() builds a tuple to call hooks, but there is no interpreter yet, so we cannot even build tuples. Are you talking about the "main" interpreter, or sub-interpreters? I'm

[issue37505] Early auditing broken

2019-07-05 Thread Christian Heimes
Christian Heimes added the comment: 3.8.0b1 is also broken, so it may have been a different commit. I'm sure that I was able to see interpreter initialization with dtrace hooks. # audit.stp probe process("/usr/lib64/libpython3.8.*").provider("python").mark("audit") { printf("%s\n",

[issue37505] Early auditing broken

2019-07-05 Thread STINNER Victor
STINNER Victor added the comment: Oh. How can I reproduce this issue? -- ___ Python tracker ___ ___ Python-bugs-list mailing list

[issue37505] Early auditing broken

2019-07-05 Thread Christian Heimes
New submission from Christian Heimes : I think that commit 838f26402de82640698c38ea9d2be65c6cf780d6 / bpo-36710 broke auditing for early events. I'm no longer seeing early events like cpython.PyInterpreterState_New. The first event is an import event without interpreter state. --