diff options
Diffstat (limited to 'poetry_restrict_plugin/plugin.py')
| -rw-r--r-- | poetry_restrict_plugin/plugin.py | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/poetry_restrict_plugin/plugin.py b/poetry_restrict_plugin/plugin.py index c885795..d7f02d7 100644 --- a/poetry_restrict_plugin/plugin.py +++ b/poetry_restrict_plugin/plugin.py @@ -105,6 +105,17 @@ class RestrictPlugin(Plugin): # filter programs in gitattributes might allow a sandbox escape. ruleset.allow(os.path.dirname(poetry.pyproject_path)) + # This is suboptimal. It is needed for nested invocations of poetry, which + # sometimes happen through a combination of tooling (e.g. script calling + # command through poetry being run in poetry shell). However, the + # poetry configuration directory contains a file named `auth.toml`, which + # sounds it makes sense to restrict. The cleaner solution here would be + # to mount a tmpfs over here so it appears empty. + ruleset.allow( + *existing_paths((os.path.expanduser("~/.config/pypoetry"),)), + rules=FSAccess.READ_FILE | FSAccess.READ_DIR, + ) + ruleset.apply() def activate(self, poetry: Poetry, io: IO): |