From 813176b588429a3f56008f82a1c0e8aa9c2b2449 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mois=C3=A9s=20Gonz=C3=A1lez?= Date: Wed, 23 Oct 2024 17:43:01 -0400 Subject: [PATCH] test: load aa-profiles with compatible ABIs for the host When not specified AppArmor fallbacks to a default policy specified in the `/etc/apparmor/parser.conf` file. Ubuntu 24.04 does not pin an ABI with network features and such rules are not enforced. From Ubuntu 22.04 onwards, the ABI 3.0 is available so we use that one. For Ubuntu 20.04 we rely on the fallback ABI (2.13). --- .github/workflows/ci.yml | 15 +++-- ...x.codejail_sandbox-python3.bin.python-abi3 | 64 +++++++++++++++++++ ...il_sandbox-python3.bin.python-default-abi} | 1 - 3 files changed, 74 insertions(+), 6 deletions(-) create mode 100644 apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python-abi3 rename apparmor-profiles/{home.sandbox.codejail_sandbox-python3.bin.python => home.sandbox.codejail_sandbox-python3.bin.python-default-abi} (99%) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ed7fcef5..e504d43a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -21,14 +21,19 @@ jobs: os: "ubuntu-22.04" # Disabling this for now because it's failing and we need to figure out # next steps to fix this. - # - python_version: '3.11' - # ubuntu_version: '24.04' - # os: "ubuntu-24.04" + - python_version: '3.11' + ubuntu_version: '24.04' + os: "ubuntu-24.04" steps: - uses: actions/checkout@v4 - - name: Parse custom apparmor profile - run: sudo apparmor_parser -r -W apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python + - name: Parse custom apparmor profile with default feature ABI + if: ${{ matrix.ubuntu_version == '20.04' }} + run: sudo apparmor_parser -r -W apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python-default-abi + + - name: Parse custom apparmor profile with ABI 3.0 + if: ${{ matrix.ubuntu_version != '20.04' }} + run: sudo apparmor_parser -r -W apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python-abi3 - name: Build latest code changes into CI image run: | diff --git a/apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python-abi3 b/apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python-abi3 new file mode 100644 index 00000000..3183954a --- /dev/null +++ b/apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python-abi3 @@ -0,0 +1,64 @@ +abi , +#include +profile apparmor_profile /home/sandbox/codejail_sandbox-python{3.[0-9],3.[1-9][0-9]}/bin/python { + #include + #include + + # Deny network access and socket operations + # Note: If this profile is being run on a docker container + # then this directive might not be sufficient. Docker network + # interfaces are created in a different namespace from the one that + # apparmor can monitor and manage and so apparmor can't always deny + # network access to the container. Please be sure to test + # network access from within your container for the jailed process + # to be sure that everything is secure. + deny network, + + /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/**.{pyc,so,so.*[0-9]} mr, + /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/**.{egg,py,pth} r, + /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/{site,dist}-packages/ r, + /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/{site,dist}-packages/**/ r, + /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/{site,dist}-packages/*.dist-info/{METADATA,namespace_packages.txt} r, + /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/{site,dist}-packages/*.VERSION r, + /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/{site,dist}-packages/*.egg-info/PKG-INFO r, + /usr/{local/,}lib{,32,64}/python3.{1,}[0-9]/lib-dynload/*.so mr, + + # Site-wide configuration + /etc/python{2.[4-7],3.[0-9],3.[1-9][0-9]}/** r, + + # shared python paths + /usr/share/{pyshared,pycentral,python-support}/** r, + /{var,usr}/lib/{pyshared,pycentral,python-support}/** r, + /usr/lib/{pyshared,pycentral,python-support}/**.so mr, + /var/lib/{pyshared,pycentral,python-support}/**.pyc mr, + /usr/lib/python3/dist-packages/**.so mr, + + # wx paths + /usr/lib/wx/python/*.pth r, + + # python build configuration and headers + /usr/include/python{2.[4-7],3.[0-9],3.[1-9][0-9]}*/pyconfig.h r, + + # Include additions to the abstraction + include if exists + + /home/sandbox/codejail_sandbox-python{3.[0-9],3.[1-9][0-9]}/** mr, + /tmp/codejail-*/ rix, + /tmp/codejail-*/** wrix, + + # Whitelist particiclar shared objects from the system + # python installation + # + /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/_json.so mr, + /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/_ctypes.so mr, + /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/_heapq.so mr, + /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/_io.so mr, + /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/_csv.so mr, + /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/datetime.so mr, + /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/_elementtree.so mr, + /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/pyexpat.so mr, + # + # Allow access to selections from /proc + # + /proc/*/mounts r, +} diff --git a/apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python b/apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python-default-abi similarity index 99% rename from apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python rename to apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python-default-abi index ec95f8b4..5ac108b1 100644 --- a/apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python +++ b/apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python-default-abi @@ -1,5 +1,4 @@ #include - profile apparmor_profile /home/sandbox/codejail_sandbox-python{3.[0-9],3.[1-9][0-9]}/bin/python { #include #include