gh-96005: Handle WASI ENOTCAPABLE in getpath (GH-96006)

- On WASI `ENOTCAPABLE` is now mapped to `PermissionError`.
- The `errno` modules exposes the new error number.
- `getpath.py` now ignores `PermissionError` when it cannot open landmark
  files `pybuilddir.txt` and `pyenv.cfg`.

diff --git a/Doc/library/errno.rst b/Doc/library/errno.rst
index 035340e256874f05102de251b22cbf512be0ef98..da4e964ac3f0c91535dfbcb1e3590626c47a41b8 100644 (file)
--- a/Doc/library/errno.rst
+++ b/Doc/library/errno.rst
@@ -657,3 +657,12 @@ defined by the module.  The specific list of defined symbols is available as
    Interface output queue is full
 
    .. versionadded:: 3.11
+
+.. data:: ENOTCAPABLE
+
+   Capabilities insufficient. This error is mapped to the exception
+   :exc:`PermissionError`.
+
+   .. availability:: WASI
+
+   .. versionadded:: 3.11.1

diff --git a/Doc/library/exceptions.rst b/Doc/library/exceptions.rst
index 2eccbd17c482c04ccde83e29d0df6ff4186d5e72..fc856277d67b2ec7af6175bf751df66b0db36e31 100644 (file)
--- a/Doc/library/exceptions.rst
+++ b/Doc/library/exceptions.rst
@@ -746,7 +746,12 @@ depending on the system error code.
 
    Raised when trying to run an operation without the adequate access
    rights - for example filesystem permissions.
-   Corresponds to :c:data:`errno` :py:data:`~errno.EACCES` and :py:data:`~errno.EPERM`.
+   Corresponds to :c:data:`errno` :py:data:`~errno.EACCES`,
+   :py:data:`~errno.EPERM`, and :py:data:`~errno.ENOTCAPABLE`.
+
+   .. versionchanged:: 3.11.1
+      WASI's :py:data:`~errno.ENOTCAPABLE` is now mapped to
+      :exc:`PermissionError`.
 
 .. exception:: ProcessLookupError
 

diff --git a/Misc/NEWS.d/next/Core and Builtins/2022-08-15-21-08-11.gh-issue-96005.6eoc8k.rst b/Misc/NEWS.d/next/Core and Builtins/2022-08-15-21-08-11.gh-issue-96005.6eoc8k.rst
new file mode 100644 (file)
index 0000000..06e414b
--- /dev/null
+++ b/Misc/NEWS.d/next/Core and Builtins/2022-08-15-21-08-11.gh-issue-96005.6eoc8k.rst
@@ -0,0 +1,4 @@
+On WASI :data:`~errno.ENOTCAPABLE` is now mapped to :exc:`PermissionError`.
+The :mod:`errno` modules exposes the new error number. ``getpath.py`` now
+ignores :exc:`PermissionError` when it cannot open landmark files
+``pybuilddir.txt`` and ``pyenv.cfg``.

diff --git a/Modules/errnomodule.c b/Modules/errnomodule.c
index 0516e7367050c2f187ccf928a74233c61c7ccefd..4de4144520aa48efda5ee71659ccda783d93b03e 100644 (file)
--- a/Modules/errnomodule.c
+++ b/Modules/errnomodule.c
@@ -927,6 +927,10 @@ errno_exec(PyObject *module)
 #ifdef EQFULL
     add_errcode("EQFULL", EQFULL, "Interface output queue is full");
 #endif
+#ifdef ENOTCAPABLE
+    // WASI extension
+    add_errcode("ENOTCAPABLE", ENOTCAPABLE, "Capabilities insufficient");
+#endif
 
     Py_DECREF(error_dict);
     return 0;

diff --git a/Modules/getpath.py b/Modules/getpath.py
index a50313aea78b4f06ecee65725bb144232b8cf5dd..e3558bc49e389f68a970507c4e8a59d207bc4eee 100644 (file)
--- a/Modules/getpath.py
+++ b/Modules/getpath.py
@@ -351,11 +351,11 @@ if not home and not py_setpath:
         try:
             # Read pyvenv.cfg from one level above executable
             pyvenvcfg = readlines(joinpath(venv_prefix, VENV_LANDMARK))
-        except FileNotFoundError:
+        except (FileNotFoundError, PermissionError):
             # Try the same directory as executable
             pyvenvcfg = readlines(joinpath(venv_prefix2, VENV_LANDMARK))
             venv_prefix = venv_prefix2
-    except FileNotFoundError:
+    except (FileNotFoundError, PermissionError):
         venv_prefix = None
         pyvenvcfg = []
 
@@ -475,7 +475,7 @@ if ((not home_was_set and real_executable_dir and not py_setpath)
         # File exists but is empty
         platstdlib_dir = real_executable_dir
         build_prefix = joinpath(real_executable_dir, VPATH)
-    except FileNotFoundError:
+    except (FileNotFoundError, PermissionError):
         if isfile(joinpath(real_executable_dir, BUILD_LANDMARK)):
             build_prefix = joinpath(real_executable_dir, VPATH)
             if os_name == 'nt':

diff --git a/Objects/exceptions.c b/Objects/exceptions.c
index c56886870d3c8d948328da67e17a2c4bfd3b5e3d..3703fdcda4dbe9b71f974550417d60c48c02bc75 100644 (file)
--- a/Objects/exceptions.c
+++ b/Objects/exceptions.c
@@ -3635,6 +3635,11 @@ _PyExc_InitState(PyInterpreterState *interp)
     ADD_ERRNO(InterruptedError, EINTR);
     ADD_ERRNO(PermissionError, EACCES);
     ADD_ERRNO(PermissionError, EPERM);
+#ifdef ENOTCAPABLE
+    // Extension for WASI capability-based security. Process lacks
+    // capability to access a resource.
+    ADD_ERRNO(PermissionError, ENOTCAPABLE);
+#endif
     ADD_ERRNO(ProcessLookupError, ESRCH);
     ADD_ERRNO(TimeoutError, ETIMEDOUT);