Fix sandbox exceptions for local pip installs (#1351)

This fixes lockfile generation with pip when it is installed in `~/.local/lib/python*/site-packages/pip`. It also fixes an issue where `pyenv` installed through the package manager wouldn't allow for lockfile generation. Closes #1349.
phylum-dev · Feb 1, 2024 · d794a51 · d794a51
1 parent 67dbfd7
commit d794a51
Show file tree

Hide file tree

Showing 4 changed files with 38 additions and 6 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
 
+### Fixed
+
+- Python lockfile generation with pip in ~/.local
+- Python lockfile generation with pyenv
+
 ## 6.1.0 - 2024-01-29
 
 ### Added

diff --git a/cli/src/commands/parse.rs b/cli/src/commands/parse.rs
@@ -437,6 +437,13 @@ fn depfile_parsing_sandbox(canonical_manifest_path: &Path) -> Result<Birdcage> {
     permissions::add_exception(&mut birdcage, Exception::Read("/tmp".into()))?;
     // Yarn.
     permissions::add_exception(&mut birdcage, Exception::Read(home.join("./yarn")))?;
+    // Python.
+    permissions::add_exception(
+        &mut birdcage,
+        Exception::ExecuteAndRead("/usr/share/pyenv".into()),
+    )?;
+    permissions::add_exception(&mut birdcage, Exception::ExecuteAndRead(home.join(".pyenv")))?;
+    permissions::add_exception(&mut birdcage, Exception::Read(home.join(".local/lib")))?;
 
     Ok(birdcage)
 }

diff --git a/extensions/pip/PhylumExt.toml b/extensions/pip/PhylumExt.toml
@@ -3,8 +3,8 @@ description = "pip package manager hooks"
 entry_point = "main.ts"
 
 [permissions]
-run = ["./", "/bin", "/usr/bin", "/usr/local/bin", "~/.pyenv"]
+run = ["./", "/bin", "/usr/bin", "/usr/local/bin", "~/.pyenv", "/usr/share/pyenv"]
 write = ["./", "~/Library/Caches", "~/Library/Python", "~/.cache", "~/.local", "~/.pyenv", "/tmp"]
-read = ["~/Library/Caches", "~/Library/Python", "~/.cache", "~/.local", "~/.pyenv", "/tmp", "/etc/passwd"]
+read = ["~/Library/Caches", "~/Library/Python", "~/.cache", "~/.local", "/tmp", "/etc/passwd"]
 net = true
 unsandboxed_run = ["pip3"]
diff --git a/extensions/pip/main.ts b/extensions/pip/main.ts
@@ -39,7 +39,14 @@ const installStatus = PhylumApi.runSandboxed({
   cmd: "pip3",
   args: Deno.args,
   exceptions: {
-    run: ["./", "/bin", "/usr/bin", "/usr/local/bin", "~/.pyenv"],
+    run: [
+      "./",
+      "/bin",
+      "/usr/bin",
+      "/usr/local/bin",
+      "/usr/share/pyenv",
+      "~/.pyenv",
+    ],
     write: [
       "./",
       "~/Library/Caches",
@@ -54,7 +61,6 @@ const installStatus = PhylumApi.runSandboxed({
       "~/Library/Python",
       "~/.cache",
       "~/.local",
-      "~/.pyenv",
       "/tmp",
       "/etc/passwd",
     ],
@@ -71,7 +77,14 @@ async function checkDryRun() {
     cmd: "pip3",
     args: [...Deno.args, "--quiet", "--report", "-", "--dry-run"],
     exceptions: {
-      run: ["./", "/bin", "/usr/bin", "/usr/local/bin", "~/.pyenv"],
+      run: [
+        "./",
+        "/bin",
+        "/usr/bin",
+        "/usr/local/bin",
+        "/usr/share/pyenv",
+        "~/.pyenv",
+      ],
       write: [
         "./",
         "~/Library/Caches",
@@ -183,7 +196,14 @@ function checkPipVersion() {
     cmd: "pip3",
     args: ["--version"],
     exceptions: {
-      run: ["./", "/bin", "/usr/bin", "/usr/local/bin", "~/.pyenv"],
+      run: [
+        "./",
+        "/bin",
+        "/usr/bin",
+        "/usr/local/bin",
+        "/usr/share/pyenv",
+        "~/.pyenv",
+      ],
     },
     stdout: "piped",
   });