diff --git a/Doc/library/sys.rst b/Doc/library/sys.rst
index 88a2e68c63d73a..8785278fa39aa4 100644
--- a/Doc/library/sys.rst
+++ b/Doc/library/sys.rst
@@ -35,6 +35,15 @@ always available.
can then log the event, raise an exception to abort the operation,
or terminate the process entirely.
+ Note that audit hooks are primarily for collecting information about internal
+ or otherwise unobservable actions, whether by Python or libraries written in
+ Python. They are not suitable for implementing a "sandbox". In particular,
+ malicious code can trivially disable or bypass hooks added using this
+ function. At a minimum, any security-sensitive hooks must be added using the
+ C API :c:func:`PySys_AddAuditHook` before initialising the runtime, and any
+ modules allowing arbitrary memory modification (such as :mod:`ctypes`) should
+ be completely removed or closely monitored.
+
.. audit-event:: sys.addaudithook "" sys.addaudithook
Calling :func:`sys.addaudithook` will itself raise an auditing event
pFad - Phonifier reborn
Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.
Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.
Alternative Proxies:
Alternative Proxy
pFad Proxy
pFad v3 Proxy
pFad v4 Proxy