git.net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Python-Dev] PEP 578: Python Runtime Audit Hooks


On 28/03/2019 23.35, Steve Dower wrote:
> Hi all
> 
> Time is short, but I'm hoping to get PEP 578 (formerly PEP 551) into
> Python 3.8. Here's the current text for review and comment before I
> submit to the Steering Council.
> 
> The formatted text is at https://www.python.org/dev/peps/pep-0578/
> (update just pushed, so give it an hour or so, but it's fundamentally
> the same as what's there)
> 
> No Discourse post, because we don't have a python-dev equivalent there
> yet, so please reply here for this one.
> 
> Implementation is at https://github.com/zooba/cpython/tree/pep-578/ and
> my backport to 3.7 (https://github.com/zooba/cpython/tree/pep-578-3.7/)
> is already getting some real use (though this will not be added to 3.7,
> unless people *really* want it, so the backport is just for reference).

Hi Steve,

(memory dump before I go to bed)

Steve Grubb from Red Hat security pointed me to some interesting things
[1]. For instance there is some work on a new O_MAYEXEC flag for open().
Steve came to similar conclusions like we, e.g. streaming code from
stdin is insecure.

I think it would be also beneficial to have auditing events for the
import system to track when sys.path or import loaders are changed.

Christian

[1] https://marc.info/?l=linux-fsdevel&m=155535414414626&w=2