sandboxtron icon indicating copy to clipboard operation
sandboxtron copied to clipboard

Published 20 hours ago verified publisher icon lynaghk

Add rule exceptions for python

Open mac-chaffee opened this issue 2 years ago • 1 comments

Hello! I recently went down the same path as you did in your post and came across this repo. I think it's a good balance of usability and security, particularly for downloading dependencies.

I do Python development, and pip packages (like npm packages) can also execute arbitrary code at install time. This PR adds rules to allow you to pip install.

Rule explanations:

  • /.pyenv/shims
    • pyenv is similar to nvm by letting you have multiple python versions. When you pip install, you need write permissions to the "shims" or else you get pyenv: cannot rehash: /Users/machaffe/.pyenv/shims isn't writable. Some pip packages also come with executables that land in that directory as well.
  • /Library/Caches/pip
    • cache dir for pip packages. Otherwise you get WARNING: The directory '/Users/machaffe/Library/Caches/pip' or its parent directory is not owned or is not writable by the current user. The cache has been disabled.
  • /Users/[a-zA-Z]+/Library/Python/[0-9,\.]+/lib/python[0-9,\.]*/site-packages
    • The site-packages dir in ~/Library is where packages are unpacked when not using pyenv.
  • /Users/[a-zA-Z]+/Library/Python/[0-9,\.]+/bin
    • When not using pyenv, this is where package executables go, like ansible
  • /Users/[a-zA-Z]+/.pyenv/versions/[0-9,\.]+/lib/python[0-9,\.]*/site-packages
    • Where packages go when using pyenv
  • /Users/[a-zA-Z]+/.pyenv/versions/[0-9,\.]+/bin
    • Where executables go when using pyenv

Read-only access:

  • /.pyenv
    • Needed to execute the pyenv wrapper scripts that determine which python install to use for a given python-related command

Tested by installing/uninstalling requests, pip, ansible, and Django. More complex packages like pytorch will require extra custom rules, but I think this is enough for most use cases.

mac-chaffee avatar Jan 21 '23 19:01 mac-chaffee

Hi Mac, this looks spectacular! Your explanations in particular are really great --- can you amend your commit so that the message contains the points you wrote up above? That way they will be available directly in the repo offline (accessible locally via, e.g, git blame, rather than only visible on github.com).

lynaghk avatar Jan 24 '23 14:01 lynaghk

Hello, sorry to bump an old thread, but I was cleaning out my old repos and found this PR. Seems ready to merge now! :)

mac-chaffee avatar Sep 13 '24 01:09 mac-chaffee

Haha, yes! Sorry for the delay here =D

lynaghk avatar Sep 13 '24 06:09 lynaghk