[Python-Dev] PEP 578: Python Runtime Audit Hooks
Christian Heimes
christian at python.org
Fri Mar 29 06:34:20 EDT 2019
On 28/03/2019 23.35, Steve Dower wrote:
> Audit Hook
> ----------
>
> In order to observe actions taken by the runtime (on behalf of the
> caller), an API is required to raise messages from within certain
> operations. These operations are typically deep within the Python
> runtime or standard library, such as dynamic code compilation, module
> imports, DNS resolution, or use of certain modules such as ``ctypes``.
>
> The following new C APIs allow embedders and CPython implementors to
> send and receive audit hook messages::
>
> # Add an auditing hook
> typedef int (*hook_func)(const char *event, PyObject *args,
> void *userData);
> int PySys_AddAuditHook(hook_func hook, void *userData);
>
> # Raise an event with all auditing hooks
> int PySys_Audit(const char *event, PyObject *args);
>
> # Internal API used during Py_Finalize() - not publicly accessible
> void _Py_ClearAuditHooks(void);
>
> The new Python APIs for receiving and raising audit hooks are::
>
> # Add an auditing hook
> sys.addaudithook(hook: Callable[[str, tuple]])
>
> # Raise an event with all auditing hooks
> sys.audit(str, *args)
>
>
> Hooks are added by calling ``PySys_AddAuditHook()`` from C at any time,
> including before ``Py_Initialize()``, or by calling
> ``sys.addaudithook()`` from Python code. Hooks cannot be removed or
> replaced.
Hi Steve,
I wonder if the hooks could be replaced by a more efficient mechanism.
These days, Linux, macOS, and most recently Windows [1] support dtrace
probes. DTrace is a very powerful and efficient mechanism to trace
user-space processes from Kernel space. At least we should consider to
add DTrace probes to the auditing framework.
Regards,
Christian
[1]
https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/DTrace-on-Windows/ba-p/362902
More information about the Python-Dev
mailing list