You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: peps/pep-0768.rst
+18-16Lines changed: 18 additions & 16 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -287,7 +287,6 @@ This change has no impact on existing Python code or interpreter performance.
287
287
The added fields are only accessed during debugger attachment, and the checking
288
288
mechanism piggybacks on existing interpreter safe points.
289
289
290
-
291
290
Security Implications
292
291
=====================
293
292
@@ -297,23 +296,26 @@ the PEP doesn't specify how memory should be written to the target process, in p
297
296
this will be done using standard system calls that are already being used by other
298
297
debuggers and tools. Some examples are:
299
298
300
-
* On Linux, the ``process_vm_readv()`` and ``process_vm_writev()`` system calls
299
+
* On Linux, the `process_vm_readv() <https://man7.org/linux/man-pages/man2/process_vm_readv.2.html>`__
300
+
and `process_vm_writev() <https://man7.org/linux/man-pages/man2/process_vm_writev.2.html>`__ system calls
301
301
are used to read and write memory from another process. These operations are
302
-
controlled by ptrace access mode checks - the same ones that govern debugger
303
-
attachment. A process can only read from or write to another process's memory
304
-
if it has the appropriate permissions (typically requiring either root or the
305
-
``CAP_SYS_PTRACE`` capability, though less security minded distributions may
306
-
allow any process running as the same uid to attach).
307
-
308
-
* On macOS, the interface would leverage ``mach_vm_read_overwrite()`` and
309
-
``mach_vm_write()`` through the Mach task system. These operations require
302
+
controlled by `ptrace <https://man7.org/linux/man-pages/man2/ptrace.2.html>`__ access mode
303
+
checks - the same ones that govern debugger attachment. A process can only read from
304
+
or write to another process's memory if it has the appropriate permissions (typically
305
+
requiring either root or the `CAP_SYS_PTRACE <https://man7.org/linux/man-pages/man7/capabilities.7.html>`__
306
+
capability, though less security minded distributions may allow any process running as the same uid to attach).
307
+
308
+
* On macOS, the interface would leverage `mach_vm_read_overwrite()<https://developer.apple.com/documentation/kernel/1402127-mach_vm_read_overwrite>`__ and
309
+
`mach_vm_write()<https://developer.apple.com/documentation/kernel/1402070-mach_vm_write>`__ through the Mach task system. These operations require
310
310
``task_for_pid()`` access, which is strictly controlled by the operating
311
311
system. By default, access is limited to processes running as root or those
312
312
with specific entitlements granted by Apple's security framework.
313
313
314
-
* On Windows, the ``ReadProcessMemory()`` and ``WriteProcessMemory()`` functions
314
+
* On Windows, the `ReadProcessMemory() <https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-readprocessmemory>`__
315
+
and `WriteProcessMemory() <https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-writeprocessmemory>`__ functions
315
316
provide similar functionality. Access is controlled through the Windows
316
-
security model - a process needs ``PROCESS_VM_READ`` and ``PROCESS_VM_WRITE``
317
+
security model - a process needs `PROCESS_VM_READ <https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights>`__
318
+
and `PROCESS_VM_WRITE <https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights>`__
317
319
permissions, which typically require the same user context or appropriate
318
320
privileges. These are the same permissions required by debuggers, ensuring
319
321
consistent security semantics across platforms.
@@ -327,7 +329,7 @@ All mechanisms ensure that:
327
329
The memory operations themselves are well-established and have been used safely
328
330
for decades in tools like GDB, LLDB, and various system profilers.
329
331
330
-
It’s important to note that any attempt to attach to a Python process via this
332
+
It's important to note that any attempt to attach to a Python process via this
331
333
mechanism would be detectable by system-level monitoring tools. This
332
334
transparency provides an additional layer of accountability, allowing
333
335
administrators to audit debugging operations in sensitive environments.
@@ -336,12 +338,12 @@ Further, the strict reliance on OS-level security controls ensures that existing
336
338
system policies remain effective. For enterprise environments, this means
337
339
administrators can continue to enforce debugging restrictions using standard
338
340
tools and policies without requiring additional configuration. For instance,
339
-
leveraging Linux’s ``ptrace_scope`` or macOS’s ``taskgated`` to restrict
340
-
debugger access will equally govern the proposed interface.
0 commit comments