Home Original page

[Python-Dev] PEP 578: Python Runtime Audit Hooks

Christian Heimes christian at python.org
Fri Mar 29 06:34:20 EDT 2019 
On 28/03/2019 23.35, Steve Dower wrote:
> Audit Hook
> ----------
> 
> In order to observe actions taken by the runtime (on behalf of the
> caller), an API is required to raise messages from within certain
> operations. These operations are typically deep within the Python
> runtime or standard library, such as dynamic code compilation, module
> imports, DNS resolution, or use of certain modules such as ``ctypes``.
> 
> The following new C APIs allow embedders and CPython implementors to
> send and receive audit hook messages::
> 
>    # Add an auditing hook
>    typedef int (*hook_func)(const char *event, PyObject *args,
>                             void *userData);
>    int PySys_AddAuditHook(hook_func hook, void *userData);
> 
>    # Raise an event with all auditing hooks
>    int PySys_Audit(const char *event, PyObject *args);
> 
>    # Internal API used during Py_Finalize() - not publicly accessible
>    void _Py_ClearAuditHooks(void);
> 
> The new Python APIs for receiving and raising audit hooks are::
> 
>    # Add an auditing hook
>    sys.addaudithook(hook: Callable[[str, tuple]])
> 
>    # Raise an event with all auditing hooks
>    sys.audit(str, *args)
> 
> 
> Hooks are added by calling ``PySys_AddAuditHook()`` from C at any time,
> including before ``Py_Initialize()``, or by calling
> ``sys.addaudithook()`` from Python code. Hooks cannot be removed or
> replaced.

Hi Steve,

I wonder if the hooks could be replaced by a more efficient mechanism.
These days, Linux, macOS, and most recently Windows [1] support dtrace
probes. DTrace is a very powerful and efficient mechanism to trace
user-space processes from Kernel space. At least we should consider to
add DTrace probes to the auditing framework.

Regards,
Christian

[1]
https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/DTrace-on-Windows/ba-p/362902
More information about the Python-Dev mailing list