test: load a profile using abi4 when running on noble

openedx · Oct 23, 2024 · 9fcb563 · 9fcb563
1 parent 66bf5d2
commit 9fcb563
Show file tree

Hide file tree

Showing 2 changed files with 73 additions and 3 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -21,15 +21,20 @@ jobs:
             os: "ubuntu-22.04"
           # Disabling this for now because it's failing and we need to figure out
           # next steps to fix this.
-          # - python_version: '3.11'
-          #   ubuntu_version: '24.04'
-          #   os: "ubuntu-24.04"
+          - python_version: '3.11'
+            ubuntu_version: '24.04'
+            os: "ubuntu-24.04"
 
     steps:
       - uses: actions/checkout@v4
       - name: Parse custom apparmor profile
+        if: ${{ matrix.ubuntu_version != '24.04' }}
         run: sudo apparmor_parser -r -W apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python
 
+      - name: Parse custom apparmor profile for ubuntu 24
+        if: ${{ matrix.ubuntu_version == '24.04' }}
+        run: sudo apparmor_parser -r -W apparmor-profiles/ubuntu24
+
       - name: Build latest code changes into CI image
         run: |
           docker build -t openedx-codejail \

diff --git a/apparmor-profiles/ubuntu24 b/apparmor-profiles/ubuntu24
@@ -0,0 +1,65 @@
+#include <tunables/global>
+
+abi <abi/4.0>,
+profile apparmor_profile /home/sandbox/codejail_sandbox-python{3.[0-9],3.[1-9][0-9]}/bin/python {
+    #include <abstractions/base>
+    #include <abstractions/python>
+
+    # Deny network access and socket operations
+    # Note: If this profile is being run on a docker container
+    # then this directive might not be sufficient.  Docker network
+    # interfaces are created in a different namespace from the one that
+    # apparmor can monitor and manage and so apparmor can't always deny
+    # network access to the container.  Please be sure to test
+    # network access from within your container for the jailed process
+    # to be sure that everything is secure.
+    deny network,
+
+    /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/**.{pyc,so,so.*[0-9]} mr,
+    /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/**.{egg,py,pth}       r,
+    /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/{site,dist}-packages/ r,
+    /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/{site,dist}-packages/**/ r,
+    /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/{site,dist}-packages/*.dist-info/{METADATA,namespace_packages.txt} r,
+    /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/{site,dist}-packages/*.VERSION r,
+    /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/{site,dist}-packages/*.egg-info/PKG-INFO r,
+    /usr/{local/,}lib{,32,64}/python3.{1,}[0-9]/lib-dynload/*.so            mr,
+
+    # Site-wide configuration
+    /etc/python{2.[4-7],3.[0-9],3.[1-9][0-9]}/** r,
+
+    # shared python paths
+    /usr/share/{pyshared,pycentral,python-support}/**      r,
+    /{var,usr}/lib/{pyshared,pycentral,python-support}/**  r,
+    /usr/lib/{pyshared,pycentral,python-support}/**.so     mr,
+    /var/lib/{pyshared,pycentral,python-support}/**.pyc    mr,
+    /usr/lib/python3/dist-packages/**.so          mr,
+
+    # wx paths
+    /usr/lib/wx/python/*.pth r,
+
+    # python build configuration and headers
+    /usr/include/python{2.[4-7],3.[0-9],3.[1-9][0-9]}*/pyconfig.h r,
+
+    # Include additions to the abstraction
+    include if exists <abstractions/python.d>
+
+    /home/sandbox/codejail_sandbox-python{3.[0-9],3.[1-9][0-9]}/** mr,
+    /tmp/codejail-*/ rix,
+    /tmp/codejail-*/** wrix,
+
+    # Whitelist particiclar shared objects from the system
+    # python installation
+    #
+    /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/_json.so mr,
+    /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/_ctypes.so mr,
+    /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/_heapq.so mr,
+    /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/_io.so mr,
+    /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/_csv.so mr,
+    /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/datetime.so mr,
+    /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/_elementtree.so mr,
+    /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/pyexpat.so mr,
+    #
+    # Allow access to selections from /proc
+    #
+    /proc/*/mounts r,
+}