diff options
author | Steve Dower <steve.dower@python.org> | 2022-11-11 13:35:02 (GMT) |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-11-11 13:35:02 (GMT) |
commit | c3c3871415c86088d45abcf73ccd2c2b09dc5772 (patch) | |
tree | 7d78e77bdf26e23c699381eadecd82c2d4ae1104 | |
parent | 3dd6ee2c0022cb49e5cb8862a569bdd35b6a72bc (diff) | |
download | cpython-c3c3871415c86088d45abcf73ccd2c2b09dc5772.zip cpython-c3c3871415c86088d45abcf73ccd2c2b09dc5772.tar.gz cpython-c3c3871415c86088d45abcf73ccd2c2b09dc5772.tar.bz2 |
gh-87604: Clarify in docs that sys.addaudithook is not for sandboxes (GH-99372)
-rw-r--r-- | Doc/library/sys.rst | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/Doc/library/sys.rst b/Doc/library/sys.rst index f3fd16c..d54ecd7 100644 --- a/Doc/library/sys.rst +++ b/Doc/library/sys.rst @@ -35,6 +35,15 @@ always available. can then log the event, raise an exception to abort the operation, or terminate the process entirely. + Note that audit hooks are primarily for collecting information about internal + or otherwise unobservable actions, whether by Python or libraries written in + Python. They are not suitable for implementing a "sandbox". In particular, + malicious code can trivially disable or bypass hooks added using this + function. At a minimum, any security-sensitive hooks must be added using the + C API :c:func:`PySys_AddAuditHook` before initialising the runtime, and any + modules allowing arbitrary memory modification (such as :mod:`ctypes`) should + be completely removed or closely monitored. + .. audit-event:: sys.addaudithook "" sys.addaudithook Calling :func:`sys.addaudithook` will itself raise an auditing event |