1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
|
# poetry-restrict-plugin
This Poetry plugin aims to restrict Poetry's allowed accesses to what it needs
to fulfill its function, the goal is to apply [principle of least
privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege) to our
development tooling.
## Motivation
What's the worst thing that could happen if you install a malicious Python
dependency on your computer? Which information could it gather from your files,
and how could it make itself a permanent home on your computer?
With `poetry-restrict-plugin`, that looks as follows:
```sh
$ poetry run cat ~/.ssh/config
poetry-restrict-plugin: Landlock engaged.
cat: /home/jc/.ssh/config: Permission denied
$ poetry run ls ~/.ssh
poetry-restrict-plugin: Landlock engaged.
ls: cannot open directory '/home/jc/.ssh': Permission denied
```
## Installation
`poetry-restrict-plugin` is currently only supported on Linux with [the Landlock
LSM](https://docs.kernel.org/userspace-api/landlock.html) enabled.
Installation depends on how you installed Poetry. With
[`pipx`](https://pipx.pypa.io/stable/docs/):
```sh
pipx inject poetry poetry-restrict-plugin
```
Alternatively, you can install it with `poetry self add`:
```sh
poetry self add poetry-restrict-plugin
```
See `poetry self add --help` for more options for installation, including
installing development versions.
For other installation methods, see the [Poetry plugin
documentation](https://python-poetry.org/docs/plugins/#using-plugins).
## Usage
The plugin will automatically run whenever you invoke poetry. If you run into an
error with it and need an escape hatch, you can re-run your command with the
environment variable `POETRY_NO_RESTRICT=1` set.
## Disclaimer
`poetry-restrict-plugin` is not a perfect sandbox, and probably never will be.
If you're looking for something like that,
[nsjail](https://github.com/google/nsjail) might be interesting for you.
## License
poetry-restrict-plugin is free software; you can redistribute it and/or modify
it under the terms of the GNU Lesser General Public License as published by the
Free Software Foundation, either version 3 of the License, or (at your option)
any later version.
poetry-restrict-plugin is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for
more details.
You should have received a copy of the GNU Lesser General Public License along
with poetry-restrict-plugin; if not, write to the Free Software Foundation,
Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
<!-- vim: set textwidth=80 sw=2= ts=2: -->
|
