diff options
| author |  Johannes Christ <[email protected]> | 2024-08-01 20:17:39 +0200 |
|---|---|---|
| committer | Johannes Christ <[email protected]> | 2024-08-01 20:17:39 +0200 |
| commit | 8369148e0dd53755d2f82f3e659075890009e72b (patch) | |
| tree | 05bca3bdaac7799dda97b8674727c782b5b9e60b | |
| parent | Allow ~/.config/pypoetry for nested poetry invocations (diff) | |
Allow reading pyvenv.cfg for nested poetry-in-poetry usecasesv0.1.0a5
| -rw-r--r-- | poetry_restrict_plugin/plugin.py | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/poetry_restrict_plugin/plugin.py b/poetry_restrict_plugin/plugin.py index d7f02d7..1fc749d 100644 --- a/poetry_restrict_plugin/plugin.py +++ b/poetry_restrict_plugin/plugin.py @@ -27,7 +27,12 @@ def ensure_paths(paths): class RestrictPlugin(Plugin): def landlock(self, poetry: Poetry): + # /home/user/.local/pipx/venvs/poetry/lib/python3.11/site-packages poetry_libs_path = pathlib.Path(poetry_package.__path__._path[0]).parent + # Needed, otherwise raises: + # Fatal Python error: init_import_site: Failed to import the site module + # /home/user/.local/pipx/venvs/poetry/pyvenv.cfg + poetry_pyvenv_cfg = poetry_libs_path.parent.parent.parent / "pyvenv.cfg" ruleset = Ruleset() @@ -105,6 +110,8 @@ class RestrictPlugin(Plugin): # filter programs in gitattributes might allow a sandbox escape. ruleset.allow(os.path.dirname(poetry.pyproject_path)) + # => Rules for poetry-in-poetry + # # This is suboptimal. It is needed for nested invocations of poetry, which # sometimes happen through a combination of tooling (e.g. script calling # command through poetry being run in poetry shell). However, the @@ -115,6 +122,8 @@ class RestrictPlugin(Plugin): *existing_paths((os.path.expanduser("~/.config/pypoetry"),)), rules=FSAccess.READ_FILE | FSAccess.READ_DIR, ) + # Python may need to read pyvenv.cfg + ruleset.allow(poetry_pyvenv_cfg, rules=FSAccess.READ_FILE) ruleset.apply() |