diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ed7fcef5..103a2560 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -21,15 +21,20 @@ jobs: os: "ubuntu-22.04" # Disabling this for now because it's failing and we need to figure out # next steps to fix this. - # - python_version: '3.11' - # ubuntu_version: '24.04' - # os: "ubuntu-24.04" + - python_version: '3.11' + ubuntu_version: '24.04' + os: "ubuntu-24.04" steps: - uses: actions/checkout@v4 - name: Parse custom apparmor profile + if: ${{ matrix.ubuntu_version != '24.04' }} run: sudo apparmor_parser -r -W apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python + - name: Parse custom apparmor profile for ubuntu 24 + if: ${{ matrix.ubuntu_version == '24.04' }} + run: sudo apparmor_parser -r -W apparmor-profiles/ubuntu24 + - name: Build latest code changes into CI image run: | docker build -t openedx-codejail \ diff --git a/apparmor-profiles/ubuntu24 b/apparmor-profiles/ubuntu24 new file mode 100644 index 00000000..5e6bddb9 --- /dev/null +++ b/apparmor-profiles/ubuntu24 @@ -0,0 +1,65 @@ +#include + +abi , +profile apparmor_profile /home/sandbox/codejail_sandbox-python{3.[0-9],3.[1-9][0-9]}/bin/python { + #include + #include + + # Deny network access and socket operations + # Note: If this profile is being run on a docker container + # then this directive might not be sufficient. Docker network + # interfaces are created in a different namespace from the one that + # apparmor can monitor and manage and so apparmor can't always deny + # network access to the container. Please be sure to test + # network access from within your container for the jailed process + # to be sure that everything is secure. + deny network, + + /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/**.{pyc,so,so.*[0-9]} mr, + /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/**.{egg,py,pth} r, + /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/{site,dist}-packages/ r, + /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/{site,dist}-packages/**/ r, + /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/{site,dist}-packages/*.dist-info/{METADATA,namespace_packages.txt} r, + /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/{site,dist}-packages/*.VERSION r, + /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/{site,dist}-packages/*.egg-info/PKG-INFO r, + /usr/{local/,}lib{,32,64}/python3.{1,}[0-9]/lib-dynload/*.so mr, + + # Site-wide configuration + /etc/python{2.[4-7],3.[0-9],3.[1-9][0-9]}/** r, + + # shared python paths + /usr/share/{pyshared,pycentral,python-support}/** r, + /{var,usr}/lib/{pyshared,pycentral,python-support}/** r, + /usr/lib/{pyshared,pycentral,python-support}/**.so mr, + /var/lib/{pyshared,pycentral,python-support}/**.pyc mr, + /usr/lib/python3/dist-packages/**.so mr, + + # wx paths + /usr/lib/wx/python/*.pth r, + + # python build configuration and headers + /usr/include/python{2.[4-7],3.[0-9],3.[1-9][0-9]}*/pyconfig.h r, + + # Include additions to the abstraction + include if exists + + /home/sandbox/codejail_sandbox-python{3.[0-9],3.[1-9][0-9]}/** mr, + /tmp/codejail-*/ rix, + /tmp/codejail-*/** wrix, + + # Whitelist particiclar shared objects from the system + # python installation + # + /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/_json.so mr, + /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/_ctypes.so mr, + /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/_heapq.so mr, + /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/_io.so mr, + /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/_csv.so mr, + /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/datetime.so mr, + /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/_elementtree.so mr, + /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/pyexpat.so mr, + # + # Allow access to selections from /proc + # + /proc/*/mounts r, +}