summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSteve Dower <steve.dower@python.org>2022-11-11 13:35:02 (GMT)
committerGitHub <noreply@github.com>2022-11-11 13:35:02 (GMT)
commitc3c3871415c86088d45abcf73ccd2c2b09dc5772 (patch)
tree7d78e77bdf26e23c699381eadecd82c2d4ae1104
parent3dd6ee2c0022cb49e5cb8862a569bdd35b6a72bc (diff)
downloadcpython-c3c3871415c86088d45abcf73ccd2c2b09dc5772.zip
cpython-c3c3871415c86088d45abcf73ccd2c2b09dc5772.tar.gz
cpython-c3c3871415c86088d45abcf73ccd2c2b09dc5772.tar.bz2
gh-87604: Clarify in docs that sys.addaudithook is not for sandboxes (GH-99372)
-rw-r--r--Doc/library/sys.rst9
1 files changed, 9 insertions, 0 deletions
diff --git a/Doc/library/sys.rst b/Doc/library/sys.rst
index f3fd16c..d54ecd7 100644
--- a/Doc/library/sys.rst
+++ b/Doc/library/sys.rst
@@ -35,6 +35,15 @@ always available.
can then log the event, raise an exception to abort the operation,
or terminate the process entirely.
+ Note that audit hooks are primarily for collecting information about internal
+ or otherwise unobservable actions, whether by Python or libraries written in
+ Python. They are not suitable for implementing a "sandbox". In particular,
+ malicious code can trivially disable or bypass hooks added using this
+ function. At a minimum, any security-sensitive hooks must be added using the
+ C API :c:func:`PySys_AddAuditHook` before initialising the runtime, and any
+ modules allowing arbitrary memory modification (such as :mod:`ctypes`) should
+ be completely removed or closely monitored.
+
.. audit-event:: sys.addaudithook "" sys.addaudithook
Calling :func:`sys.addaudithook` will itself raise an auditing event