gh-121957: Emit audit events for `python -i` and `python -m asyncio` (GH-121958)

Relatedly, emit the `cpython.run_startup` event from the Python version of
`PYTHONSTARTUP` handling.

diff --git a/Doc/library/asyncio.rst b/Doc/library/asyncio.rst
index 184f981c1021aa3f27c6e2fbcffcb5dcb54f4174..5f83b3a2658da44e871a51736acf71de99fc29b4 100644 (file)
--- a/Doc/library/asyncio.rst
+++ b/Doc/library/asyncio.rst
@@ -56,9 +56,13 @@ Additionally, there are **low-level** APIs for
 * :ref:`bridge <asyncio-futures>` callback-based libraries and code
   with async/await syntax.
 
+.. include:: ../includes/wasm-notavail.rst
+
 .. _asyncio-cli:
 
-You can experiment with an ``asyncio`` concurrent context in the REPL:
+.. rubric:: asyncio REPL
+
+You can experiment with an ``asyncio`` concurrent context in the :term:`REPL`:
 
 .. code-block:: pycon
 
@@ -70,7 +74,14 @@ You can experiment with an ``asyncio`` concurrent context in the REPL:
    >>> await asyncio.sleep(10, result='hello')
    'hello'
 
-.. include:: ../includes/wasm-notavail.rst
+.. audit-event:: cpython.run_stdin "" ""
+
+.. versionchanged:: 3.12.5 (also 3.11.10, 3.10.15, 3.9.20, and 3.8.20)
+   Emits audit events.
+
+.. versionchanged:: 3.13
+   Uses PyREPL if possible, in which case :envvar:`PYTHONSTARTUP` is
+   also executed. Emits audit events.
 
 .. We use the "rubric" directive here to avoid creating
    the "Reference" subsection in the TOC.

diff --git a/Doc/using/cmdline.rst b/Doc/using/cmdline.rst
index a575760c9633271a55d8e1a9832d0fd5697508fb..c175c4f8b5b1eba6e242ad58663425091161bb74 100644 (file)
--- a/Doc/using/cmdline.rst
+++ b/Doc/using/cmdline.rst
@@ -793,6 +793,15 @@ conflict.
    This variable can also be modified by Python code using :data:`os.environ`
    to force inspect mode on program termination.
 
+   .. audit-event:: cpython.run_stdin "" ""
+
+   .. versionchanged:: 3.12.5 (also 3.11.10, 3.10.15, 3.9.20, and 3.8.20)
+      Emits audit events.
+
+   .. versionchanged:: 3.13
+      Uses PyREPL if possible, in which case :envvar:`PYTHONSTARTUP` is
+      also executed. Emits audit events.
+
 
 .. envvar:: PYTHONUNBUFFERED
 

diff --git a/Lib/_pyrepl/main.py b/Lib/_pyrepl/main.py
index 8d6e07d36b52cab9ce80fce0c67f3df65436cf53..a6f824dcc4ad14043a0fb4b10cd57e6c83c01cdc 100644 (file)
--- a/Lib/_pyrepl/main.py
+++ b/Lib/_pyrepl/main.py
@@ -39,6 +39,8 @@ def interactive_console(mainmodule=None, quiet=False, pythonstartup=False):
     # sys._baserepl() above does this internally, we do it here
     startup_path = os.getenv("PYTHONSTARTUP")
     if pythonstartup and startup_path:
+        sys.audit("cpython.run_startup", startup_path)
+
         import tokenize
         with tokenize.open(startup_path) as f:
             startup_code = compile(f.read(), startup_path, "exec")

diff --git a/Lib/asyncio/__main__.py b/Lib/asyncio/__main__.py
index 8b5a4b8f282a927eb54e4cfaed1a4ac4b5717234..111b7d92367210410b8df5bda6d4890a12508546 100644 (file)
--- a/Lib/asyncio/__main__.py
+++ b/Lib/asyncio/__main__.py
@@ -91,6 +91,8 @@ class REPLThread(threading.Thread):
             console.write(banner)
 
             if startup_path := os.getenv("PYTHONSTARTUP"):
+                sys.audit("cpython.run_startup", startup_path)
+
                 import tokenize
                 with tokenize.open(startup_path) as f:
                     startup_code = compile(f.read(), startup_path, "exec")
@@ -127,6 +129,8 @@ class REPLThread(threading.Thread):
 
 
 if __name__ == '__main__':
+    sys.audit("cpython.run_stdin")
+
     if os.getenv('PYTHON_BASIC_REPL'):
         CAN_USE_PYREPL = False
     else:
@@ -155,6 +159,7 @@ if __name__ == '__main__':
     interactive_hook = getattr(sys, "__interactivehook__", None)
 
     if interactive_hook is not None:
+        sys.audit("cpython.run_interactivehook", interactive_hook)
         interactive_hook()
 
     if interactive_hook is site.register_readline:

diff --git a/Misc/NEWS.d/next/Security/2024-07-18-13-17-47.gh-issue-121957.QemKLU.rst b/Misc/NEWS.d/next/Security/2024-07-18-13-17-47.gh-issue-121957.QemKLU.rst
new file mode 100644 (file)
index 0000000..49ccc5e
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2024-07-18-13-17-47.gh-issue-121957.QemKLU.rst
@@ -0,0 +1,3 @@
+Fixed missing audit events around interactive use of Python, now also
+properly firing for ``python -i``, as well as for ``python -m asyncio``. The
+events in question are ``cpython.run_stdin`` and ``cpython.run_startup``.

diff --git a/Modules/main.c b/Modules/main.c
index 3c202c85c76dcc4d4af2092790b58c504a735080..15ea49a1bad19e9b93d7273de86f1854aee9d75e 100644 (file)
--- a/Modules/main.c
+++ b/Modules/main.c
@@ -594,6 +594,10 @@ pymain_repl(PyConfig *config, int *exitcode)
         return;
     }
 
+    if (PySys_Audit("cpython.run_stdin", NULL) < 0) {
+        return;
+    }
+
     if (!isatty(fileno(stdin))
         || _Py_GetEnv(config->use_environment, "PYTHON_BASIC_REPL")) {
         PyCompilerFlags cf = _PyCompilerFlags_INIT;