diff options
| author |  Johannes Christ <[email protected]> | 2024-07-30 19:18:07 +0200 |
|---|---|---|
| committer | Johannes Christ <[email protected]> | 2024-07-30 19:18:07 +0200 |
| commit | ad754a185c26ae09d308d738330e904a6516ee21 (patch) | |
| tree | 1c772af075fad3eaf5c089fb6180d9c71e3b4576 | |
| parent | Begin 0.1.0a4 development (diff) | |
Allow access to /usr/include for compiled dependencies
| -rw-r--r-- | poetry_restrict_plugin/plugin.py | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/poetry_restrict_plugin/plugin.py b/poetry_restrict_plugin/plugin.py index 652f7a2..4077a46 100644 --- a/poetry_restrict_plugin/plugin.py +++ b/poetry_restrict_plugin/plugin.py @@ -57,6 +57,8 @@ class RestrictPlugin(Plugin): # and in poetry shell, we might want to run some system executables, too ruleset.allow("/usr/bin", rules=FSAccess.READ_FILE | FSAccess.READ_DIR | FSAccess.EXECUTE) + # For compilation of C dependencies, we need to be able to find headers + ruleset.allow(*existing_paths(("/usr/include",)), rules=FSAccess.READ_FILE | FSAccess.READ_DIR) # We allow read access here, later we might want to restrict the pid namespace though ruleset.allow("/proc", rules=FSAccess.READ_FILE | FSAccess.READ_DIR) |