docs: Pare down and document AppArmor file; simplify some CI elements

- Remove all unnecessary AppArmor rules, document all directives.
- In testing, use a sandbox dir name that doesn't depend on the Python
  version. There's only ever one at a time in the container. This also
  simplifies the AppArmor profile and allows us to just have one sudoers
  file.
- Remove example AppArmor profile from README; just point to the one in
  the apparmor-profiles dir so that we can have a single copy that is
  maintained with best practices.
- Document a more general apparmor_parser directive (`--replace` is usable
  on both the first and subsequent runs) that surfaces and enforces
  warnings. This would e.g. fail the load if the ABI mismatches.
- Add some breadcrumbs on what the testing files are used for.

Author: timmc-edx

.github/workflows/ci.yml

@@ -23,7 +23,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: Parse custom apparmor profile with ABI 3.0
-        run: sudo apparmor_parser -r -W apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python-abi3
+        run: sudo apparmor_parser -r -W apparmor-profiles/home.sandbox.codejail_sandbox.bin.python-abi3
 
       - name: Build latest code changes into CI image
         run: |

Dockerfile

@@ -1,3 +1,7 @@
+# Used for running codejail unit tests.
+#
+# Sandbox path and ABI version must be kept in sync with AppArmor profile.
+
 ARG ubuntu_version="24.04"
 
 FROM ubuntu:${ubuntu_version}
@@ -19,7 +23,7 @@ RUN pip install virtualenv
 ENV CODEJAIL_GROUP=sandbox
 ENV CODEJAIL_SANDBOX_CALLER=ubuntu
 ENV CODEJAIL_TEST_USER=sandbox
-ENV CODEJAIL_TEST_VENV=/home/sandbox/codejail_sandbox-python${python_version}
+ENV CODEJAIL_TEST_VENV=/home/sandbox/codejail_sandbox
 
 # Create Virtualenv for sandbox user
 RUN virtualenv -p python${python_version} --always-copy $CODEJAIL_TEST_VENV
@@ -65,7 +69,7 @@ RUN pip install -r /codejail/requirements/sandbox.txt -r /codejail/requirements/
 COPY . /codejail
 
 # Setup sudoers file
-COPY sudoers-file/01-sandbox-python-${python_version} /etc/sudoers.d/01-sandbox
+COPY sudoers-file/01-sandbox-python /etc/sudoers.d/01-sandbox
 
 # Change Sudoers file permissions
 RUN chmod 0440 /etc/sudoers.d/01-sandbox

README.rst

@@ -114,61 +114,17 @@ Other details here that depend on your configuration:
    (Note that the ``find`` binary can run arbitrary code, so this is not a safe sudoers file for non-codejail purposes.)
 
 5. Edit an AppArmor profile.  This is a text file specifying the limits on the
-   sandboxed Python executable.  The file must be in ``/etc/apparmor.d`` and must
+   sandboxed Python executable.  The file must be in ``/etc/apparmor.d`` and should
    be named based on the executable, with slashes replaced by dots.  For
    example, if your sandboxed Python is at ``/home/chris/ve/myproj-sandbox/bin/python``,
-   then your AppArmor profile must be ``/etc/apparmor.d/home.chris.ve.myproj-sandbox.bin.python``::
+   then your AppArmor profile must be ``/etc/apparmor.d/home.chris.ve.myproj-sandbox.bin.python``.
 
-    $ sudo vim /etc/apparmor.d/home.chris.ve.myproj-sandbox.bin.python
-
-    #include <tunables/global>
-
-    <SANDENV>/bin/python {
-        #include <abstractions/base>
-        #include <abstractions/python>
-
-        <CODEJAIL_CHECKOUT>/** mr,
-        <SANDENV>/** mr,
-        # If you have code that the sandbox must be able to access, add lines
-        # pointing to those directories:
-        /the/path/to/your/sandbox-packages/** r,
-
-        /tmp/codejail-*/ rix,
-        /tmp/codejail-*/** wrix,
-    }
-
-   Depending on your OS and AppArmor version you may need to specify a policy
-   ABI to ensure the restrictions are being correctly applied. Modern ubuntu
-   versions using AppArmor V3 should use the 3.0 ABI in order to enable
-   network confinment rules. A profile using the ABI 3.0 would look as
-   follows::
-
-     $ sudo vim /etc/apparmor.d/home.chris.ve.myproj-sandbox.bin.python
-
-     abi <abi/3.0>,
-     #include <tunables/global>
-
-     <SANDENV>/bin/python {
-         #include <abstractions/base>
-         #include <abstractions/python>
-
-         <CODEJAIL_CHECKOUT>/** mr,
-         <SANDENV>/** mr,
-         # If you have code that the sandbox must be able to access, add lines
-         # pointing to those directories:
-         /the/path/to/your/sandbox-packages/** r,
-
-         /tmp/codejail-*/ rix,
-         /tmp/codejail-*/** wrix,
-     }
-
-   You can also look at the
-   ``apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python-abi3``
-   file which is used for testing for a full profile example.
+   See sample profile in ``apparmor-profiles/``. The profile **must be
+   customized** to match your sandbox location.
 
 6. Parse the profiles::
 
-    $ sudo apparmor_parser <APPARMOR_FILE>
+    $ sudo apparmor_parser --replace --warn=all --warn=no-debug-cache --Werror <APPARMOR_FILE>
 
 7. Reactivate your project's main virtualenv again.
 

apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python-abi3

@@ -0,0 +1,77 @@
+# Used for running codejail unit tests, but should also be maintained as a
+# general example.
+#
+# Sandbox path must be kept in sync with Dockerfile.
+
+
+# AppArmor profile for running codejail.
+#
+# Changes to this profile must be coordinated carefully with changes to the
+# filesystem layout -- in particular, the sandbox path must match, otherwise
+# the profile will provide no security at all.
+#
+#                         #=========#
+#                         # WARNING #
+#                         #=========#
+#
+# Failure to apply a secure apparmor profile *will* likely result in a
+# full compromise of the host by an attacker. AppArmor is *mandatory*
+# for using codejail -- this is not just for hardening.
+#
+# This profile is written for AppArmor 3 or higher (Ubuntu 22.04 or higher).
+
+
+
+# Require that the system understands the feature set that this policy was written
+# for. If we didn't include this, then on Ubuntu >= 22.04, AppArmor might assume
+# the wrong feature set was requested, and some rules might become too permissive.
+# See https://github.com/netblue30/firejail/issues/3659#issuecomment-711074899
+#
+# This should also be set to match the installed AppArmor version.
+abi <abi/3.0>,
+
+# Sets standard variables used by abstractions/base, later. Controlled
+# by OS, see /etc/apparmor.d/tunables/global for contents.
+include <tunables/global>
+
+# `mediate_deleted` instructs apparmor to continue to make policy decisions
+# in cases where a confined executable has a file descriptor even after the
+# file is removed from the filesystem. It's unclear if this is important for
+# sandboxing, but it doesn't seem like it would loosen security or interfere
+# with functionality to include it.
+#
+# `no_attach_disconnected` is default, but is explicitly indicated
+# here because `attach_disconnected` is very commonly used in
+# example profiles despite being a security risk (due to allowing
+# disconnected objects to masquerade as other, trusted paths in the
+# filesystem).
+profile openedx_codejail_sandbox /home/sandbox/codejail_sandbox/bin/python flags=(mediate_deleted, no_attach_disconnected) {
+
+    # Allow access to a variety of commonly needed, generally safe things
+    # (such as reading /usr/lib, /dev/random, free memory levels, etc.)
+    #
+    # Manpage: "Includes files that should be readable and writable in all profiles."
+    #
+    # We could instead list these directives explicitly out of caution but
+    # it would get pretty verbose.
+    include <abstractions/base>
+
+    # Read and run binaries and libraries in the virtualenv. This
+    # includes the sandbox's copy of Python as well as any
+    # dependencies that have been installed for inclusion in
+    # sandboxes.
+    #
+    # m: executable mapping, required for shared libraries used by some
+    #    Python dependencies with C compontents, eg `nltk`.
+    /home/sandbox/codejail_sandbox/** mr,
+
+    # Allow access to the temporary directories that are set up by
+    # codejail, one for each code-exec call. Each /tmp/code-XXXXX
+    # contains one execution.
+    /tmp/codejail-*/ rix,
+    /tmp/codejail-*/** wrix,
+
+    # Allow receiving a kill signal from the webapp when the execution
+    # runs beyond time limits.
+    signal (receive) set=(kill),
+}

apparmor-profiles/home.sandbox.codejail_sandbox.bin.python-abi3

@@ -1,7 +1,9 @@
-ubuntu ALL=(sandbox) SETENV:NOPASSWD:/home/sandbox/codejail_sandbox-python3.11/bin/python
+# Used for running codejail unit tests.
+
+ubuntu ALL=(sandbox) SETENV:NOPASSWD:/home/sandbox/codejail_sandbox/bin/python
 ubuntu ALL=(sandbox) SETENV:NOPASSWD:/usr/bin/find
 ubuntu ALL=(ALL) NOPASSWD:/usr/bin/pkill
 
-Defaults!/home/sandbox/codejail_sandbox-python3.11/bin/python !requiretty
+Defaults!/home/sandbox/codejail_sandbox/bin/python !requiretty
 Defaults!/usr/bin/find !requiretty
 Defaults!/usr/bin/pkill !requiretty