1 files changed, 39 insertions, 13 deletions

diff --git a/poetry_restrict_plugin/plugin.py b/poetry_restrict_plugin/plugin.py
index 00af92b..2e9c829 100644
--- a/poetry_restrict_plugin/plugin.py
+++ b/poetry_restrict_plugin/plugin.py
@@ -33,8 +33,13 @@ def find_libc(**kwargs):
     libc = ctypes.CDLL("libc.so.6", **kwargs)
     # const char *source, const char *target, const char *filesystemtype,
     # unsigned long mountflags, const void *_Nullable data
-    libc.mount.argtypes = (ctypes.c_char_p, ctypes.c_char_p,
-                           ctypes.c_char_p, ctypes.c_ulong, ctypes.c_char_p)
+    libc.mount.argtypes = (
+        ctypes.c_char_p,
+        ctypes.c_char_p,
+        ctypes.c_char_p,
+        ctypes.c_ulong,
+        ctypes.c_char_p,
+    )
     return libc
 
 
@@ -124,7 +129,9 @@ class RestrictPlugin(Plugin):
         for mountargs in mounts:
             rc = libc.mount(*mountargs)
             if rc != 0:
-                raise exc_from_errno(syscall="mount", detail=f"Mount options are {mountargs!r}")
+                raise exc_from_errno(
+                    syscall="mount", detail=f"Mount options are {mountargs!r}"
+                )
 
     def landlock(self, poetry: Poetry):
         # /home/user/.local/pipx/venvs/poetry/lib/python3.11/site-packages
@@ -144,7 +151,7 @@ class RestrictPlugin(Plugin):
                     poetry.config.virtualenvs_path,
                     # Cached dependencies
                     poetry.config.artifacts_cache_directory,
-                    poetry.config.repository_cache_directory
+                    poetry.config.repository_cache_directory,
                 ),
             ),
             rules=FSAccess.all(),
@@ -152,7 +159,9 @@ class RestrictPlugin(Plugin):
         #   Temporary storage
         ruleset.allow("/tmp", rules=FSAccess.all() & ~FSAccess.EXECUTE)
         # Poetry may also want to late-import some of its dependencies, or built-in modules
-        ruleset.allow(*existing_paths(sys.path), rules=FSAccess.READ_FILE | FSAccess.READ_DIR)
+        ruleset.allow(
+            *existing_paths(sys.path), rules=FSAccess.READ_FILE | FSAccess.READ_DIR
+        )
 
         # Finally, the Python executable may need to import some of its shared libraries
         ruleset.allow(
@@ -160,18 +169,27 @@ class RestrictPlugin(Plugin):
             rules=FSAccess.READ_FILE | FSAccess.READ_DIR | FSAccess.EXECUTE,
         )
         # and in poetry shell, we might want to run some system executables, too
-        ruleset.allow("/usr/bin", rules=FSAccess.READ_FILE | FSAccess.READ_DIR | FSAccess.EXECUTE)
+        ruleset.allow(
+            "/usr/bin", rules=FSAccess.READ_FILE | FSAccess.READ_DIR | FSAccess.EXECUTE
+        )
 
         # For compilation of C dependencies, we need to be able to find headers
-        ruleset.allow(*existing_paths(("/usr/include",)), rules=FSAccess.READ_FILE | FSAccess.READ_DIR)
+        ruleset.allow(
+            *existing_paths(("/usr/include",)),
+            rules=FSAccess.READ_FILE | FSAccess.READ_DIR,
+        )
 
         # We allow read access here, note the pid namespace is restricted
         ruleset.allow("/proc", rules=FSAccess.READ_FILE | FSAccess.READ_DIR)
         # needed for /dev/tty and /dev/pty devices, see /usr/lib/python3.11/pty.py
-        ruleset.allow("/dev", rules=FSAccess.READ_FILE | FSAccess.READ_DIR | FSAccess.WRITE_FILE)
+        ruleset.allow(
+            "/dev", rules=FSAccess.READ_FILE | FSAccess.READ_DIR | FSAccess.WRITE_FILE
+        )
 
         # Python's `zoneinfo` module
-        ruleset.allow("/usr/share/zoneinfo/", rules=FSAccess.READ_FILE | FSAccess.READ_DIR)
+        ruleset.allow(
+            "/usr/share/zoneinfo/", rules=FSAccess.READ_FILE | FSAccess.READ_DIR
+        )
 
         ruleset.allow(
             # We need to know which DNS resolver to use, and any custom hosts
@@ -185,7 +203,11 @@ class RestrictPlugin(Plugin):
             *existing_paths(("/etc/bash.bashrc", os.path.expanduser("~/.bashrc"))),
             rules=FSAccess.READ_FILE,
         )
-        ruleset.allow("/etc/ssl/certs", "/usr/local/share/ca-certificates", rules=FSAccess.READ_FILE | FSAccess.READ_DIR)
+        ruleset.allow(
+            "/etc/ssl/certs",
+            "/usr/local/share/ca-certificates",
+            rules=FSAccess.READ_FILE | FSAccess.READ_DIR,
+        )
 
         # Allow determining mime types. Used for ruamel.yaml installation.
         ruleset.allow("/etc/mime.types", rules=FSAccess.READ_FILE)
@@ -208,7 +230,7 @@ class RestrictPlugin(Plugin):
                 *existing_paths(
                     (
                         os.path.expanduser("~/.gitconfig"),
-                        os.path.expanduser("~/.config/git/config")
+                        os.path.expanduser("~/.config/git/config"),
                     )
                 ),
                 rules=FSAccess.READ_FILE,
@@ -260,7 +282,11 @@ class RestrictPlugin(Plugin):
             self.landlock(poetry)
             io.write_line("<info>poetry-restrict-plugin</info>: Landlocked & unshared.")
         except Exception as err:
-            io.write_line("<error>Fatal error trying to enforce Landlock rules or unshare:</error>")
+            io.write_line(
+                "<error>Fatal error trying to enforce Landlock rules or unshare:</error>"
+            )
             traceback.print_exception(err)
-            io.write_line("<error>This is an issue of the Poetry restrict plugin, not of Poetry itself.</error>")
+            io.write_line(
+                "<error>This is an issue of the Poetry restrict plugin, not of Poetry itself.</error>"
+            )
             raise