gh-121957: Emit audit events for `python -i` and `python -m asyncio` (GH-121958)

Relatedly, emit the `cpython.run_startup` event from the Python version of `PYTHONSTARTUP` handling.
author: Łukasz Langa <lukasz@langa.pl> 2024-07-22 11:04:08 (GMT)
committer: GitHub <noreply@github.com> 2024-07-22 11:04:08 (GMT)
commit: dc93d1125f594ac7aece98558eaf33d09c348519 (patch)
tree: db2bc23e9e74df4a9ce22a872c2825418597f57b
parent: cad11a2bdceb6d4683ae5654ce555cdf5f191217 (diff)
download: cpython-dc93d1125f594ac7aece98558eaf33d09c348519.zip
cpython-dc93d1125f594ac7aece98558eaf33d09c348519.tar.gz
cpython-dc93d1125f594ac7aece98558eaf33d09c348519.tar.bz2
6 files changed, 36 insertions, 2 deletions
diff --git a/Doc/library/asyncio.rst b/Doc/library/asyncio.rst
index 184f981..5f83b3a 100644
--- a/Doc/library/asyncio.rst
+++ b/Doc/library/asyncio.rst
@@ -56,9 +56,13 @@ Additionally, there are **low-level** APIs for
 * :ref:`bridge <asyncio-futures>` callback-based libraries and code
   with async/await syntax.
 
+.. include:: ../includes/wasm-notavail.rst
+
 .. _asyncio-cli:
 
-You can experiment with an ``asyncio`` concurrent context in the REPL:
+.. rubric:: asyncio REPL
+
+You can experiment with an ``asyncio`` concurrent context in the :term:`REPL`:
 
 .. code-block:: pycon
 
@@ -70,7 +74,14 @@ You can experiment with an ``asyncio`` concurrent context in the REPL:
    >>> await asyncio.sleep(10, result='hello')
    'hello'
 
-.. include:: ../includes/wasm-notavail.rst
+.. audit-event:: cpython.run_stdin "" ""
+
+.. versionchanged:: 3.12.5 (also 3.11.10, 3.10.15, 3.9.20, and 3.8.20)
+   Emits audit events.
+
+.. versionchanged:: 3.13
+   Uses PyREPL if possible, in which case :envvar:`PYTHONSTARTUP` is
+   also executed. Emits audit events.
 
 .. We use the "rubric" directive here to avoid creating
    the "Reference" subsection in the TOC.
diff --git a/Doc/using/cmdline.rst b/Doc/using/cmdline.rst
index a575760..c175c4f 100644
--- a/Doc/using/cmdline.rst
+++ b/Doc/using/cmdline.rst
@@ -793,6 +793,15 @@ conflict.
    This variable can also be modified by Python code using :data:`os.environ`
    to force inspect mode on program termination.
 
+   .. audit-event:: cpython.run_stdin "" ""
+
+   .. versionchanged:: 3.12.5 (also 3.11.10, 3.10.15, 3.9.20, and 3.8.20)
+      Emits audit events.
+
+   .. versionchanged:: 3.13
+      Uses PyREPL if possible, in which case :envvar:`PYTHONSTARTUP` is
+      also executed. Emits audit events.
+
 
 .. envvar:: PYTHONUNBUFFERED
 
diff --git a/Lib/_pyrepl/main.py b/Lib/_pyrepl/main.py
index 8d6e07d..a6f824d 100644
--- a/Lib/_pyrepl/main.py
+++ b/Lib/_pyrepl/main.py
@@ -39,6 +39,8 @@ def interactive_console(mainmodule=None, quiet=False, pythonstartup=False):
     # sys._baserepl() above does this internally, we do it here
     startup_path = os.getenv("PYTHONSTARTUP")
     if pythonstartup and startup_path:
+        sys.audit("cpython.run_startup", startup_path)
+
         import tokenize
         with tokenize.open(startup_path) as f:
             startup_code = compile(f.read(), startup_path, "exec")
diff --git a/Lib/asyncio/__main__.py b/Lib/asyncio/__main__.py
index 8b5a4b8..111b7d9 100644
--- a/Lib/asyncio/__main__.py
+++ b/Lib/asyncio/__main__.py
@@ -91,6 +91,8 @@ class REPLThread(threading.Thread):
             console.write(banner)
 
             if startup_path := os.getenv("PYTHONSTARTUP"):
+                sys.audit("cpython.run_startup", startup_path)
+
                 import tokenize
                 with tokenize.open(startup_path) as f:
                     startup_code = compile(f.read(), startup_path, "exec")
@@ -127,6 +129,8 @@ class REPLThread(threading.Thread):
 
 
 if __name__ == '__main__':
+    sys.audit("cpython.run_stdin")
+
     if os.getenv('PYTHON_BASIC_REPL'):
         CAN_USE_PYREPL = False
     else:
@@ -155,6 +159,7 @@ if __name__ == '__main__':
     interactive_hook = getattr(sys, "__interactivehook__", None)
 
     if interactive_hook is not None:
+        sys.audit("cpython.run_interactivehook", interactive_hook)
         interactive_hook()
 
     if interactive_hook is site.register_readline:
diff --git a/Misc/NEWS.d/next/Security/2024-07-18-13-17-47.gh-issue-121957.QemKLU.rst b/Misc/NEWS.d/next/Security/2024-07-18-13-17-47.gh-issue-121957.QemKLU.rst
new file mode 100644
index 0000000..49ccc5e
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2024-07-18-13-17-47.gh-issue-121957.QemKLU.rst
@@ -0,0 +1,3 @@
+Fixed missing audit events around interactive use of Python, now also
+properly firing for ``python -i``, as well as for ``python -m asyncio``. The
+events in question are ``cpython.run_stdin`` and ``cpython.run_startup``.
diff --git a/Modules/main.c b/Modules/main.c
index 3c202c8..15ea49a 100644
--- a/Modules/main.c
+++ b/Modules/main.c
@@ -594,6 +594,10 @@ pymain_repl(PyConfig *config, int *exitcode)
         return;
     }
 
+    if (PySys_Audit("cpython.run_stdin", NULL) < 0) {
+        return;
+    }
+
     if (!isatty(fileno(stdin))
         || _Py_GetEnv(config->use_environment, "PYTHON_BASIC_REPL")) {
         PyCompilerFlags cf = _PyCompilerFlags_INIT;
author	Łukasz Langa <lukasz@langa.pl>	2024-07-22 11:04:08 (GMT)
committer	GitHub <noreply@github.com>	2024-07-22 11:04:08 (GMT)
commit	dc93d1125f594ac7aece98558eaf33d09c348519 (patch)
tree	db2bc23e9e74df4a9ce22a872c2825418597f57b
parent	cad11a2bdceb6d4683ae5654ce555cdf5f191217 (diff)
download	cpython-dc93d1125f594ac7aece98558eaf33d09c348519.zip cpython-dc93d1125f594ac7aece98558eaf33d09c348519.tar.gz cpython-dc93d1125f594ac7aece98558eaf33d09c348519.tar.bz2