gh-135543: emit sys.remote_exec audit event when sys.remote_exec has been called

Zheaoli · Zheaoli · commit b125c7860a5b · 2025-06-16T02:31:08.000+08:00
Signed-off-by: Manjusaka &lt;me@manjusaka.me&gt;
diff --git a/Doc/library/sys.rst b/Doc/library/sys.rst
@@ -1933,6 +1933,11 @@ always available. Unless explicitly noted otherwise, all variables are read-only
    interpreter is pre-release (alpha, beta, or release candidate) then the
    local and remote interpreters must be the same exact version.
 
+   .. audit-event:: remove_exec pid script_path
+
+      When the code is executed in the remote process, an :ref:`auditing event <auditing>`
+      ``remove_exec`` is raised with the *pid* and the path to the script file.
+
    .. availability:: Unix, Windows.
    .. versionadded:: 3.14
 
diff --git a/Lib/test/test_sys.py b/Lib/test/test_sys.py
@@ -2118,6 +2118,7 @@ def audit_hook(event, arg):
         self.assertEqual(returncode, 0)
         self.assertIn(b"Remote script executed successfully!", stdout)
         self.assertIn(b"Audit event: remote_debugger_script, arg: ", stdout)
+        self.assertIn(b"Audit event: remote_exec, arg: ", stdout)
         self.assertEqual(stderr, b"")
 
     def test_remote_exec_with_exception(self):
diff --git a/Python/sysmodule.c b/Python/sysmodule.c
@@ -2485,6 +2485,10 @@ sys_remote_exec_impl(PyObject *module, int pid, PyObject *script)
     PyObject *path;
     const char *debugger_script_path;
 
+    if (PySys_Audit("remote_exec", "iO", pid, script) < 0) {
+        return NULL;
+    }
+
     if (PyUnicode_FSConverter(script, &path) == 0) {
         return NULL;
     }
