classification
Title: [security][subinterpreters] Add auditing hooks to subinterpreter module
Type: security Stage: resolved
Components: Interpreter Core, Subinterpreters Versions: Python 3.10, Python 3.9, Python 3.8
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: steve.dower Nosy List: christian.heimes, eric.snow, gousaiyang, miss-islington, steve.dower, vstinner
Priority: normal Keywords: patch

Created on 2021-03-11 09:31 by christian.heimes, last changed 2021-04-28 16:20 by vstinner. This issue is now closed.

Pull Requests
URL Status Linked Edit
PR 25506 merged steve.dower, 2021-04-21 21:58
PR 25508 merged miss-islington, 2021-04-21 22:34
PR 25509 merged miss-islington, 2021-04-21 22:35
Messages (6)
msg388489 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2021-03-11 09:31
The subinterpreters module does not emit any audit events yet. It's possible to create a subinterpreter and run arbitrary code through run_string().

We should also improve documentation of sys.addaudithook() and explain what 'current interpreter' actually means. I guess most users don't realize the consequences for subinterpreters.

$ ./python auditsub.py
('os.system', (b'echo main interpreter',))
main interpreter
you got pwned
[heimes@seneca cpython]$ cat au
auditsub.py     autom4te.cache/ 
[heimes@seneca cpython]$ cat auditsub.py 
import sys
import _xxsubinterpreters

def hook(*args):
    print(args)

sys.addaudithook(hook)

import os
os.system('echo main interpreter')

sub = _xxsubinterpreters.create()
_xxsubinterpreters.run_string(sub, "import os; os.system('echo you got pwned')", None)

$ ./python auditsub.py 
('os.system', (b'echo main interpreter',))
main interpreter
you got pwned
msg390387 - (view) Author: Saiyang Gou (gousaiyang) * Date: 2021-04-06 23:18
One problem is the naming of audit events. Actually I didn't even notice that `_xxsubinterpreters` was already there since Python 3.8, because PEP 554 is still in draft status as for now. Looks like `_xxsubinterpreters` is an internal low-level interface to subinterpreters (and probably only meant for testing purposes for now), while PEP 554 will bring a high-level interface `interpreters` for users. Naming the audit events as `interpreters.*` will be more readable, although the `interpreters` module doesn't actually exist today.
msg391548 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2021-04-21 21:50
I'll need Eric to confirm, but I think the best thing to do here is to not release the thread state in _xxsubinterpreters.interp_create, but let _Py_NewInterpreter() do it. That way the existing event will be raised in interpreter-level hooks, rather than only the process-wide hook.

PR incoming.
msg391551 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2021-04-21 22:34
New changeset 7b86e47617d81a4b14d929743425f448971e8c86 by Steve Dower in branch 'master':
bpo-43472: Ensure PyInterpreterState_New audit events are raised when called through _xxsubinterpreters module (GH-25506)
https://github.com/python/cpython/commit/7b86e47617d81a4b14d929743425f448971e8c86
msg391554 - (view) Author: miss-islington (miss-islington) Date: 2021-04-21 22:53
New changeset 602eefef0bd0187049c2ab9071390f8573fc299a by Miss Islington (bot) in branch '3.8':
bpo-43472: Ensure PyInterpreterState_New audit events are raised when called through _xxsubinterpreters module (GH-25506)
https://github.com/python/cpython/commit/602eefef0bd0187049c2ab9071390f8573fc299a
msg392232 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2021-04-28 16:20
New changeset 0252ce35712f4a12e824fb8b40a867ec3460443e by Miss Islington (bot) in branch '3.9':
bpo-43472: Ensure PyInterpreterState_New audit events are raised when called through _xxsubinterpreters module (GH-25506) (GH-25508)
https://github.com/python/cpython/commit/0252ce35712f4a12e824fb8b40a867ec3460443e
History
Date User Action Args
2021-04-28 16:20:49vstinnersetnosy: + vstinner
messages: + msg392232
2021-04-21 22:53:34miss-islingtonsetmessages: + msg391554
2021-04-21 22:40:55steve.dowersetstatus: open -> closed
assignee: steve.dower
stage: patch review -> resolved
resolution: fixed
versions: + Python 3.8, Python 3.9
2021-04-21 22:35:05miss-islingtonsetpull_requests: + pull_request24227
2021-04-21 22:34:55miss-islingtonsetnosy: + miss-islington
pull_requests: + pull_request24226
2021-04-21 22:34:37steve.dowersetmessages: + msg391551
2021-04-21 21:58:53steve.dowersetkeywords: + patch
stage: patch review
pull_requests: + pull_request24224
2021-04-21 21:50:39steve.dowersetmessages: + msg391548
2021-04-06 23:18:34gousaiyangsetnosy: + gousaiyang
messages: + msg390387
2021-03-11 09:31:02christian.heimescreate