Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing audit events for python -i and python -m asyncio #121957

Open
ambv opened this issue Jul 18, 2024 · 1 comment
Open

Missing audit events for python -i and python -m asyncio #121957

ambv opened this issue Jul 18, 2024 · 1 comment
Assignees
@ambv
Labels
3.8 (EOL) end of life 3.9 only security fixes 3.10 only security fixes 3.11 only security fixes 3.12 bugs and security fixes 3.13 bugs and security fixes 3.14 new features, bugs and security fixes topic-repl Related to the interactive shell type-security A security issue

Comments

@ambv
Copy link
Contributor

ambv commented Jul 18, 2024
edited by bedevere-app bot
Loading

Modules/main.c:pymain_repl should fire cpython.run_stdin like Modules/main.c:pymain_run_stdin to allow administrators to log/block interactive use. Maybe that event firing should be moved all the way to _PyRun_InteractiveLoopObject, but its only other use is with PyRun_InteractiveLoopFlags, which is embedded, so not clear we want that. Therefore, pymain_repl is now the clear choice. Affected versions: Python 3.8+.

Similarly, the asyncio REPL didn't emit any audit events related to interactive use. Affected versions: Python 3.8+.

Note that code.InteractiveConsole also doesn't fire interactive use audit events, but my thinking here is that this is an end-user API, so the user can choose to fire that event if they want to. Similar case to PyRun_InteractiveLoopFlags.

This will require a separate fix for 3.8 - 3.12.

Linked PRs
@ambv ambv added type-security A security issue deferred-blocker needs backport to 3.13 bugs and security fixes topic-repl Related to the interactive shell labels Jul 18, 2024
@ambv ambv self-assigned this Jul 18, 2024
ambv added a commit to ambv/cpython that referenced this issue Jul 18, 2024
@ambv
pythongh-121957: Emit cpython.run_stdin audit event for python -i
2a61ed5 
… with PyREPL

Relatedly, emit the `cpython.run_startup` event from the Python version of
`PYTHONSTARTUP` handling.
@bedevere-app bedevere-app bot mentioned this issue Jul 18, 2024
Merged
@ambv ambv changed the title Missing audit event for Modules/main.c:pymain_start_pyrepl_no_main Missing audit events for python -i and python -m asyncio Jul 18, 2024
@ambv ambv added 3.11 only security fixes 3.10 only security fixes 3.9 only security fixes 3.8 (EOL) end of life 3.12 bugs and security fixes 3.13 bugs and security fixes 3.14 new features, bugs and security fixes and removed needs backport to 3.13 bugs and security fixes labels Jul 18, 2024
ambv added a commit to ambv/cpython that referenced this issue Jul 18, 2024
@ambv
Merge branch 'main' into pythongh-121957
32ac734
ambv added a commit to ambv/cpython that referenced this issue Jul 22, 2024
@ambv
Merge branch 'main' into pythongh-121957
91551e7
ambv added a commit that referenced this issue Jul 22, 2024
@ambv
gh-121957: Emit audit events for python -i and python -m asyncio (G…
dc93d11 
…H-121958)

Relatedly, emit the `cpython.run_startup` event from the Python version of
`PYTHONSTARTUP` handling.
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Jul 22, 2024
@ambv @miss-islington
pythongh-121957: Emit audit events for python -i and `python -m asy…
61a55fa 
…ncio` (pythonGH-121958)

Relatedly, emit the `cpython.run_startup` event from the Python version of
`PYTHONSTARTUP` handling.
(cherry picked from commit dc93d11)

Co-authored-by: Łukasz Langa <lukasz@langa.pl>
@bedevere-app bedevere-app bot mentioned this issue Jul 22, 2024
Merged
ambv added a commit to ambv/cpython that referenced this issue Jul 22, 2024
@ambv
pythongh-121957: Emit audit events for python -i and python -m asyncio
fa43c22
@bedevere-app bedevere-app bot mentioned this issue Jul 22, 2024
Merged
ambv added a commit to ambv/cpython that referenced this issue Jul 22, 2024
@ambv
pythongh-121957: Emit audit events for python -i and python -m asyncio
a8b018b
@bedevere-app bedevere-app bot mentioned this issue Jul 22, 2024
Merged
ambv added a commit to ambv/cpython that referenced this issue Jul 22, 2024
@ambv
pythongh-121957: Emit audit events for python -i and python -m asyncio
2da62e7
@bedevere-app bedevere-app bot mentioned this issue Jul 22, 2024
Merged
ambv added a commit to ambv/cpython that referenced this issue Jul 22, 2024
@ambv
pythongh-121957: Emit audit events for python -i and python -m asyncio
358afbc
@bedevere-app bedevere-app bot mentioned this issue Jul 22, 2024
Merged
ambv added a commit to ambv/cpython that referenced this issue Jul 22, 2024
@ambv
pythongh-121957: Emit audit events for python -i and python -m asyncio
18bda39
@bedevere-app bedevere-app bot mentioned this issue Jul 22, 2024
Merged
ambv added a commit that referenced this issue Jul 22, 2024
@miss-islington @ambv
[3.13] gh-121957: Emit audit events for python -i and `python -m as…
148beb6 
…yncio` (GH-121958) (GH-122115)

Relatedly, emit the `cpython.run_startup` event from the Python version of
`PYTHONSTARTUP` handling.
(cherry picked from commit dc93d11)

Co-authored-by: Łukasz Langa <lukasz@langa.pl>
ambv added a commit that referenced this issue Jul 22, 2024
@ambv
[3.12] gh-121957: Emit audit events for python -i and python -m async…
c1e834d 
…io (GH-122117)
ambv added a commit that referenced this issue Jul 22, 2024
@ambv
[3.11] gh-121957: Emit audit events for python -i and python -m async…
d542a9b 
…io (GH-122118)
ambv added a commit that referenced this issue Jul 22, 2024
@ambv
[3.10] gh-121957: Emit audit events for python -i and python -m async…
d86ab5d 
…io (GH-122119)
ambv added a commit that referenced this issue Jul 22, 2024
@ambv
[3.9] gh-121957: Emit audit events for python -i and python -m asyncio (
9e9c71d 
GH-122120)
@ambv
Copy link
Contributor Author

ambv commented Jul 22, 2024

The fix and backports landed, but I'm keeping this open, because I'd like to have a test of those audit events at least on main. It's going to be somewhat tricky since we'll have to build an audit binary for that.

ambv added a commit that referenced this issue Jul 22, 2024
@ambv
[3.8] gh-121957: Emit audit events for python -i and python -m asyncio (
1fb69b3 
GH-122121)
arnout pushed a commit to buildroot/buildroot that referenced this issue Aug 27, 2024
@jacmet @tpetazzoni
package/python3: security bump to version 3.12.5
e5cc7ad 
Fixes the following security issues:

- gh-121957: Fixed missing audit events around interactive use of Python,
  now also properly firing for python -i, as well as for python -m asyncio.
  The event in question is cpython.run_stdin.

  python/cpython#121957

For more details, see the changelog:

https://docs.python.org/release/3.12.5/whatsnew/changelog.html#python-3-12-5

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ambv ambv

Labels
3.8 (EOL) end of life 3.9 only security fixes 3.10 only security fixes 3.11 only security fixes 3.12 bugs and security fixes 3.13 bugs and security fixes 3.14 new features, bugs and security fixes topic-repl Related to the interactive shell type-security A security issue
Projects
Release and Deferred blockers 🚫
Status: Todo
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ambv