Description
When /usr/bin/python3 is added to a network policy's binaries list, Python HTTP requests are still blocked with 403 Forbidden. The proxy resolves symlinks before checking the allowlist, and /usr/bin/python3 is a symlink to /usr/bin/python3.11.
Steps to Reproduce
- Add to sandbox policy:
binaries:
- { path: /usr/bin/python3 }
- Inside sandbox:
python3 -c "import urllib.request; urllib.request.urlopen('https://api.github.com')" → 403 Forbidden
- Add the resolved path:
binaries:
- { path: /usr/bin/python3 }
- { path: /usr/bin/python3.11 }
- Same request → 200 OK
Expected Behavior
Either:
- The proxy should resolve symlinks when checking the policy (so
/usr/bin/python3 works)
- Or the documentation should clearly state that resolved binary paths must be used
Workaround
Add both the symlink AND the resolved binary path to every policy that needs Python access.
Description
When
/usr/bin/python3is added to a network policy'sbinarieslist, Python HTTP requests are still blocked with 403 Forbidden. The proxy resolves symlinks before checking the allowlist, and/usr/bin/python3is a symlink to/usr/bin/python3.11.Steps to Reproduce
python3 -c "import urllib.request; urllib.request.urlopen('https://api.github.com')"→ 403 ForbiddenExpected Behavior
Either:
/usr/bin/python3works)Workaround
Add both the symlink AND the resolved binary path to every policy that needs Python access.