# poetry-restrict-plugin
This Poetry plugin aims to restrict Poetry's allowed accesses to what it needs
to fulfill its function, the goal is to apply [principle of least
privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege) to our
development tooling.
## Motivation
What's the worst thing that could happen if you install a malicious Python
dependency on your computer? Which information could it gather from your files,
and how could it make itself a permanent home on your computer?
With `poetry-restrict-plugin`, that looks as follows:
```sh
$ poetry run cat ~/.ssh/config
poetry-restrict-plugin: Landlock engaged.
cat: /home/jc/.ssh/config: Permission denied
$ poetry run ls ~/.ssh
poetry-restrict-plugin: Landlock engaged.
ls: cannot open directory '/home/jc/.ssh': Permission denied
```
## Installation
`poetry-restrict-plugin` is currently only supported on Linux with [the Landlock
LSM](https://docs.kernel.org/userspace-api/landlock.html) enabled.
Installation depends on how you installed Poetry. With
[`pipx`](https://pipx.pypa.io/stable/docs/):
```sh
pipx inject poetry poetry-restrict-plugin
```
Alternatively, you can install it with `poetry self add`:
```sh
poetry self add poetry-restrict-plugin
```
See `poetry self add --help` for more options for installation, including
installing development versions.
For other installation methods, see the [Poetry plugin
documentation](https://python-poetry.org/docs/plugins/#using-plugins).
## Usage
The plugin will automatically run whenever you invoke poetry. If you run into an
error with it and need an escape hatch, you can re-run your command with the
environment variable `POETRY_NO_RESTRICT=1` set.
## Disclaimer
`poetry-restrict-plugin` is not a perfect sandbox, and probably never will be.
If you're looking for something like that,
[nsjail](https://github.com/google/nsjail) might be interesting for you.
## License
poetry-restrict-plugin is free software; you can redistribute it and/or modify
it under the terms of the GNU Lesser General Public License as published by the
Free Software Foundation, either version 3 of the License, or (at your option)
any later version.
poetry-restrict-plugin is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for
more details.
You should have received a copy of the GNU Lesser General Public License along
with poetry-restrict-plugin; if not, write to the Free Software Foundation,
Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
<!-- vim: set textwidth=80 sw=2= ts=2: -->
Raw data
{
"_id": null,
"home_page": "https://git.jchri.st/jc/poetry-restrict-plugin",
"name": "poetry-restrict-plugin",
"maintainer": "Johannes Christ",
"docs_url": null,
"requires_python": "<4.0,>=3.11",
"maintainer_email": "jc@jchri.st",
"keywords": "poetry, security, landlock",
"author": "Johannes Christ",
"author_email": "jc@jchri.st",
"download_url": "https://files.pythonhosted.org/packages/d3/40/08b9823fd0c63d498d6ef6e81dd83dedaaaabf27cc4d3e50afcb7ee79784/poetry_restrict_plugin-0.1.0a7.tar.gz",
"platform": null,
"description": "# poetry-restrict-plugin\n\nThis Poetry plugin aims to restrict Poetry's allowed accesses to what it needs\nto fulfill its function, the goal is to apply [principle of least\nprivilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege) to our\ndevelopment tooling.\n\n\n## Motivation\n\nWhat's the worst thing that could happen if you install a malicious Python\ndependency on your computer? Which information could it gather from your files,\nand how could it make itself a permanent home on your computer?\n\nWith `poetry-restrict-plugin`, that looks as follows:\n\n```sh\n$ poetry run cat ~/.ssh/config\npoetry-restrict-plugin: Landlock engaged.\ncat: /home/jc/.ssh/config: Permission denied\n$ poetry run ls ~/.ssh\npoetry-restrict-plugin: Landlock engaged.\nls: cannot open directory '/home/jc/.ssh': Permission denied\n```\n\n\n## Installation\n\n`poetry-restrict-plugin` is currently only supported on Linux with [the Landlock\nLSM](https://docs.kernel.org/userspace-api/landlock.html) enabled.\n\nInstallation depends on how you installed Poetry. With\n[`pipx`](https://pipx.pypa.io/stable/docs/):\n\n```sh\npipx inject poetry poetry-restrict-plugin\n```\n\nAlternatively, you can install it with `poetry self add`:\n\n```sh\npoetry self add poetry-restrict-plugin\n```\n\nSee `poetry self add --help` for more options for installation, including\ninstalling development versions.\n\nFor other installation methods, see the [Poetry plugin\ndocumentation](https://python-poetry.org/docs/plugins/#using-plugins).\n\n\n## Usage\n\nThe plugin will automatically run whenever you invoke poetry. If you run into an\nerror with it and need an escape hatch, you can re-run your command with the\nenvironment variable `POETRY_NO_RESTRICT=1` set.\n\n\n## Disclaimer\n\n`poetry-restrict-plugin` is not a perfect sandbox, and probably never will be.\nIf you're looking for something like that,\n[nsjail](https://github.com/google/nsjail) might be interesting for you.\n\n\n## License\n\npoetry-restrict-plugin is free software; you can redistribute it and/or modify\nit under the terms of the GNU Lesser General Public License as published by the\nFree Software Foundation, either version 3 of the License, or (at your option)\nany later version.\n\npoetry-restrict-plugin is distributed in the hope that it will be useful, but\nWITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or\nFITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for\nmore details.\n\nYou should have received a copy of the GNU Lesser General Public License along\nwith poetry-restrict-plugin; if not, write to the Free Software Foundation,\nInc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.\n\n\n<!-- vim: set textwidth=80 sw=2= ts=2: -->\n",
"bugtrack_url": null,
"license": "LGPL-3.0-or-later",
"summary": "Restrict Poetry to a smaller privilege",
"version": "0.1.0a7",
"project_urls": {
"Homepage": "https://git.jchri.st/jc/poetry-restrict-plugin",
"Repository": "https://git.jchri.st/jc/poetry-restrict-plugin"
},
"split_keywords": [
"poetry",
" security",
" landlock"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "a460e20a713d3ca773314e9181ac1e4e95eac175866876768af27d68bd66acb5",
"md5": "114c680925c75b62edcf68512af59b61",
"sha256": "614b1648bb7e23df55e1842bae46c3ba6e82d960b680655777d00e663eb6f731"
},
"downloads": -1,
"filename": "poetry_restrict_plugin-0.1.0a7-py3-none-any.whl",
"has_sig": false,
"md5_digest": "114c680925c75b62edcf68512af59b61",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": "<4.0,>=3.11",
"size": 8320,
"upload_time": "2024-08-27T17:55:05",
"upload_time_iso_8601": "2024-08-27T17:55:05.787026Z",
"url": "https://files.pythonhosted.org/packages/a4/60/e20a713d3ca773314e9181ac1e4e95eac175866876768af27d68bd66acb5/poetry_restrict_plugin-0.1.0a7-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "d34008b9823fd0c63d498d6ef6e81dd83dedaaaabf27cc4d3e50afcb7ee79784",
"md5": "a4292502f50e7a2866e2c41d14bffa0c",
"sha256": "b568131b373abd6073de566b5eb5ac1a522369de694b02fc1b9d6acf5a0e196d"
},
"downloads": -1,
"filename": "poetry_restrict_plugin-0.1.0a7.tar.gz",
"has_sig": false,
"md5_digest": "a4292502f50e7a2866e2c41d14bffa0c",
"packagetype": "sdist",
"python_version": "source",
"requires_python": "<4.0,>=3.11",
"size": 7162,
"upload_time": "2024-08-27T17:55:06",
"upload_time_iso_8601": "2024-08-27T17:55:06.941343Z",
"url": "https://files.pythonhosted.org/packages/d3/40/08b9823fd0c63d498d6ef6e81dd83dedaaaabf27cc4d3e50afcb7ee79784/poetry_restrict_plugin-0.1.0a7.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-08-27 17:55:06",
"github": false,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"lcname": "poetry-restrict-plugin"
}
JSON