Support disallowing os.exec*() in an interpreter.

Author: ericsnowcurrently

Include/cpython/initconfig.h

@@ -245,13 +245,15 @@ PyAPI_FUNC(PyStatus) PyConfig_SetWideStringList(PyConfig *config,
 
 typedef struct {
     int allow_fork;
+    int allow_exec;
     int allow_threads;
     int allow_daemon_threads;
 } _PyInterpreterConfig;
 
 #define _PyInterpreterConfig_LEGACY_INIT \
     { \
         .allow_fork = 1, \
+        .allow_exec = 1, \
         .allow_threads = 1, \
         .allow_daemon_threads = 1, \
     }

Include/cpython/pystate.h

@@ -20,6 +20,9 @@ might not be allowed in the current interpreter (i.e. os.fork() would fail).
 /* Set if os.fork() is allowed. */
 #define Py_RTFLAGS_FORK (1UL << 15)
 
+/* Set if os.exec*() is allowed. */
+#define Py_RTFLAGS_EXEC (1UL << 16)
+
 
 PyAPI_FUNC(int) _PyInterpreterState_HasFeature(PyInterpreterState *interp,
                                                unsigned long feature);

Lib/test/test__xxsubinterpreters.py

@@ -856,6 +856,22 @@ def f():
 
             self.assertEqual(out, 'it worked!')
 
+    def test_os_exec(self):
+        expected = 'spam spam spam spam spam'
+        subinterp = interpreters.create()
+        script, file = _captured_script(f"""
+            import os, sys
+            try:
+                os.execl(sys.executable)
+            except RuntimeError:
+                print('{expected}', end='')
+            """)
+        with file:
+            interpreters.run_string(subinterp, script)
+            out = file.read()
+
+        self.assertEqual(out, expected)
+
     @support.requires_fork()
     def test_fork(self):
         import tempfile

Lib/test/test_capi.py

@@ -1096,13 +1096,14 @@ def test_configured_settings(self):
         THREADS = 1<<10
         DAEMON_THREADS = 1<<11
         FORK = 1<<15
+        EXEC = 1<<16
 
-        features = ['fork', 'threads', 'daemon_threads']
+        features = ['fork', 'exec', 'threads', 'daemon_threads']
         kwlist = [f'allow_{n}' for n in features]
         for config, expected in {
-            (True, True, True): FORK | THREADS | DAEMON_THREADS,
-            (False, False, False): 0,
-            (False, True, False): THREADS,
+            (True, True, True, True): FORK | EXEC | THREADS | DAEMON_THREADS,
+            (False, False, False, False): 0,
+            (False, False, True, False): THREADS,
         }.items():
             kwargs = dict(zip(kwlist, config))
             expected = {

Lib/test/test_embed.py

@@ -1651,9 +1651,10 @@ def test_init_main_interpreter_settings(self):
         THREADS = 1<<10
         DAEMON_THREADS = 1<<11
         FORK = 1<<15
+        EXEC = 1<<16
         expected = {
             # All optional features should be enabled.
-            'feature_flags': FORK | THREADS | DAEMON_THREADS,
+            'feature_flags': FORK | EXEC | THREADS | DAEMON_THREADS,
         }
         out, err = self.run_embedded_interpreter(
             'test_init_main_interpreter_settings',

Lib/test/test_threading.py

@@ -1324,6 +1324,7 @@ def func():
             test.support.run_in_subinterp_with_config(
                 {subinterp_code!r},
                 allow_fork=True,
+                allow_exec=True,
                 allow_threads={allowed},
                 allow_daemon_threads={daemon_allowed},
             )

Modules/_testcapimodule.c

@@ -3231,6 +3231,7 @@ run_in_subinterp_with_config(PyObject *self, PyObject *args, PyObject *kwargs)
 {
     const char *code;
     int allow_fork = -1;
+    int allow_exec = -1;
     int allow_threads = -1;
     int allow_daemon_threads = -1;
     int r;
@@ -3240,19 +3241,24 @@ run_in_subinterp_with_config(PyObject *self, PyObject *args, PyObject *kwargs)
 
     static char *kwlist[] = {"code",
                              "allow_fork",
+                             "allow_exec",
                              "allow_threads",
                              "allow_daemon_threads",
                              NULL};
     if (!PyArg_ParseTupleAndKeywords(args, kwargs,
-                    "s$ppp:run_in_subinterp_with_config", kwlist,
-                    &code, &allow_fork,
+                    "s$pppp:run_in_subinterp_with_config", kwlist,
+                    &code, &allow_fork, &allow_exec,
                     &allow_threads, &allow_daemon_threads)) {
         return NULL;
     }
     if (allow_fork < 0) {
         PyErr_SetString(PyExc_ValueError, "missing allow_fork");
         return NULL;
     }
+    if (allow_exec < 0) {
+        PyErr_SetString(PyExc_ValueError, "missing allow_exec");
+        return NULL;
+    }
     if (allow_threads < 0) {
         PyErr_SetString(PyExc_ValueError, "missing allow_threads");
         return NULL;
@@ -3268,6 +3274,7 @@ run_in_subinterp_with_config(PyObject *self, PyObject *args, PyObject *kwargs)
 
     const _PyInterpreterConfig config = {
         .allow_fork = allow_fork,
+        .allow_exec = allow_exec,
         .allow_threads = allow_threads,
         .allow_daemon_threads = allow_daemon_threads,
     };

Modules/_xxsubinterpretersmodule.c

@@ -2005,6 +2005,7 @@ interp_create(PyObject *self, PyObject *args, PyObject *kwds)
     PyThreadState *save_tstate = _PyThreadState_GET();
     const _PyInterpreterConfig config = {
         .allow_fork = !isolated,
+        .allow_exec = !isolated,
         .allow_threads = !isolated,
         .allow_daemon_threads = !isolated,
     };

Modules/posixmodule.c

@@ -5773,6 +5773,13 @@ os_execv_impl(PyObject *module, path_t *path, PyObject *argv)
     EXECV_CHAR **argvlist;
     Py_ssize_t argc;
 
+    PyInterpreterState *interp = _PyInterpreterState_GET();
+    if (!_PyInterpreterState_HasFeature(interp, Py_RTFLAGS_EXEC)) {
+        PyErr_SetString(PyExc_RuntimeError,
+                        "exec not supported for isolated subinterpreters");
+        return NULL;
+    }
+
     /* execv has two arguments: (path, argv), where
        argv is a list or tuple of strings. */
 
@@ -5839,6 +5846,13 @@ os_execve_impl(PyObject *module, path_t *path, PyObject *argv, PyObject *env)
     EXECV_CHAR **envlist;
     Py_ssize_t argc, envc;
 
+    PyInterpreterState *interp = _PyInterpreterState_GET();
+    if (!_PyInterpreterState_HasFeature(interp, Py_RTFLAGS_EXEC)) {
+        PyErr_SetString(PyExc_RuntimeError,
+                        "exec not supported for isolated subinterpreters");
+        return NULL;
+    }
+
     /* execve has three arguments: (path, argv, env), where
        argv is a list or tuple of strings and env is a dictionary
        like posix.environ. */

Python/pylifecycle.c

@@ -615,9 +615,15 @@ static void
 init_interp_settings(PyInterpreterState *interp, const _PyInterpreterConfig *config)
 {
     assert(interp->feature_flags == 0);
+
     if (config->allow_fork) {
         interp->feature_flags |= Py_RTFLAGS_FORK;
     }
+    if (config->allow_exec) {
+        interp->feature_flags |= Py_RTFLAGS_EXEC;
+    }
+    // Note that fork+exec is always allowed.
+
     if (config->allow_threads) {
         interp->feature_flags |= Py_RTFLAGS_THREADS;
     }