Allow ~/.config/pypoetry for nested poetry invocations

author: Johannes Christ <[email protected]> 2024-08-01 20:14:40 +0200
committer: Johannes Christ <[email protected]> 2024-08-01 20:14:40 +0200
commit: 87907c1c0f2c22e359bf572cf1840673b69b3d00 (patch)
tree: 9b2990cb72340e0953e831e5dc80b1f6188f45bd /poetry_restrict_plugin/plugin.py
parent: Add comment for why pre-commit needs gitconfig (diff)
1 files changed, 11 insertions, 0 deletions
diff --git a/poetry_restrict_plugin/plugin.py b/poetry_restrict_plugin/plugin.py
index c885795..d7f02d7 100644
--- a/poetry_restrict_plugin/plugin.py
+++ b/poetry_restrict_plugin/plugin.py
@@ -105,6 +105,17 @@ class RestrictPlugin(Plugin):
         # filter programs in gitattributes might allow a sandbox escape.
         ruleset.allow(os.path.dirname(poetry.pyproject_path))
 
+        # This is suboptimal. It is needed for nested invocations of poetry, which
+        # sometimes happen through a combination of tooling (e.g. script calling
+        # command through poetry being run in poetry shell). However, the
+        # poetry configuration directory contains a file named `auth.toml`, which
+        # sounds it makes sense to restrict. The cleaner solution here would be
+        # to mount a tmpfs over here so it appears empty.
+        ruleset.allow(
+            *existing_paths((os.path.expanduser("~/.config/pypoetry"),)),
+            rules=FSAccess.READ_FILE | FSAccess.READ_DIR,
+        )
+
         ruleset.apply()
 
     def activate(self, poetry: Poetry, io: IO):
author	Johannes Christ <[email protected]>	2024-08-01 20:14:40 +0200
committer	Johannes Christ <[email protected]>	2024-08-01 20:14:40 +0200
commit	87907c1c0f2c22e359bf572cf1840673b69b3d00 (patch)
tree	9b2990cb72340e0953e831e5dc80b1f6188f45bd /poetry_restrict_plugin/plugin.py
parent	Add comment for why pre-commit needs gitconfig (diff)