Skip to content

docs: Pare down and document AppArmor file; simplify some CI elements #248

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ jobs:
steps:
- uses: actions/checkout@v4
- name: Parse custom apparmor profile with ABI 3.0
run: sudo apparmor_parser -r -W apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python-abi3
run: sudo apparmor_parser -r -W apparmor-profiles/home.sandbox.codejail_sandbox.bin.python-abi3

- name: Build latest code changes into CI image
run: |
Expand All @@ -35,7 +35,7 @@ jobs:

- name: Run container with custom apparmor profile and codejail CI image
run: |
docker run --name=codejail --privileged -d --security-opt apparmor=apparmor_profile \
docker run --name=codejail --privileged -d --security-opt apparmor=openedx_codejail_sandbox \
openedx-codejail tail -f /dev/null

- name: Run Tests
Expand Down
8 changes: 6 additions & 2 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,3 +1,7 @@
# Used for running codejail unit tests.
#
# Sandbox path and ABI version must be kept in sync with AppArmor profile.

ARG ubuntu_version="24.04"

FROM ubuntu:${ubuntu_version}
Expand All @@ -19,7 +23,7 @@ RUN pip install virtualenv
ENV CODEJAIL_GROUP=sandbox
ENV CODEJAIL_SANDBOX_CALLER=ubuntu
ENV CODEJAIL_TEST_USER=sandbox
ENV CODEJAIL_TEST_VENV=/home/sandbox/codejail_sandbox-python${python_version}
ENV CODEJAIL_TEST_VENV=/home/sandbox/codejail_sandbox

# Create Virtualenv for sandbox user
RUN virtualenv -p python${python_version} --always-copy $CODEJAIL_TEST_VENV
Expand Down Expand Up @@ -65,7 +69,7 @@ RUN pip install -r /codejail/requirements/sandbox.txt -r /codejail/requirements/
COPY . /codejail

# Setup sudoers file
COPY sudoers-file/01-sandbox-python-${python_version} /etc/sudoers.d/01-sandbox
COPY sudoers-file/01-sandbox-python /etc/sudoers.d/01-sandbox

# Change Sudoers file permissions
RUN chmod 0440 /etc/sudoers.d/01-sandbox
Expand Down
54 changes: 5 additions & 49 deletions README.rst
Original file line number Diff line number Diff line change
Expand Up @@ -114,61 +114,17 @@ Other details here that depend on your configuration:
(Note that the ``find`` binary can run arbitrary code, so this is not a safe sudoers file for non-codejail purposes.)

5. Edit an AppArmor profile. This is a text file specifying the limits on the
sandboxed Python executable. The file must be in ``/etc/apparmor.d`` and must
sandboxed Python executable. The file must be in ``/etc/apparmor.d`` and should
be named based on the executable, with slashes replaced by dots. For
example, if your sandboxed Python is at ``/home/chris/ve/myproj-sandbox/bin/python``,
then your AppArmor profile must be ``/etc/apparmor.d/home.chris.ve.myproj-sandbox.bin.python``::
then your AppArmor profile must be ``/etc/apparmor.d/home.chris.ve.myproj-sandbox.bin.python``.

$ sudo vim /etc/apparmor.d/home.chris.ve.myproj-sandbox.bin.python

#include <tunables/global>

<SANDENV>/bin/python {
#include <abstractions/base>
#include <abstractions/python>

<CODEJAIL_CHECKOUT>/** mr,
<SANDENV>/** mr,
# If you have code that the sandbox must be able to access, add lines
# pointing to those directories:
/the/path/to/your/sandbox-packages/** r,

/tmp/codejail-*/ rix,
/tmp/codejail-*/** wrix,
}

Depending on your OS and AppArmor version you may need to specify a policy
ABI to ensure the restrictions are being correctly applied. Modern ubuntu
versions using AppArmor V3 should use the 3.0 ABI in order to enable
network confinment rules. A profile using the ABI 3.0 would look as
follows::

$ sudo vim /etc/apparmor.d/home.chris.ve.myproj-sandbox.bin.python

abi <abi/3.0>,
#include <tunables/global>

<SANDENV>/bin/python {
#include <abstractions/base>
#include <abstractions/python>

<CODEJAIL_CHECKOUT>/** mr,
<SANDENV>/** mr,
# If you have code that the sandbox must be able to access, add lines
# pointing to those directories:
/the/path/to/your/sandbox-packages/** r,

/tmp/codejail-*/ rix,
/tmp/codejail-*/** wrix,
}

You can also look at the
``apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python-abi3``
file which is used for testing for a full profile example.
See sample profile in ``apparmor-profiles/``. The profile **must be
customized** to match your sandbox location.

6. Parse the profiles::

$ sudo apparmor_parser <APPARMOR_FILE>
$ sudo apparmor_parser --replace --warn=all --warn=no-debug-cache --Werror <APPARMOR_FILE>

7. Reactivate your project's main virtualenv again.

Expand Down

This file was deleted.

77 changes: 77 additions & 0 deletions apparmor-profiles/home.sandbox.codejail_sandbox.bin.python-abi3
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
# Used for running codejail unit tests, but should also be maintained as a
# general example.
#
# Sandbox path must be kept in sync with Dockerfile.


# AppArmor profile for running codejail.
#
# Changes to this profile must be coordinated carefully with changes to the
# filesystem layout -- in particular, the sandbox path must match, otherwise
# the profile will provide no security at all.
#
# #=========#
# # WARNING #
# #=========#
#
# Failure to apply a secure apparmor profile *will* likely result in a
# full compromise of the host by an attacker. AppArmor is *mandatory*
# for using codejail -- this is not just for hardening.
#
# This profile is written for AppArmor 3 or higher (Ubuntu 22.04 or higher).



# Require that the system understands the feature set that this policy was written
# for. If we didn't include this, then on Ubuntu >= 22.04, AppArmor might assume
# the wrong feature set was requested, and some rules might become too permissive.
# See https://github.com/netblue30/firejail/issues/3659#issuecomment-711074899
#
# This should also be set to match the installed AppArmor version.
abi <abi/3.0>,

# Sets standard variables used by abstractions/base, later. Controlled
# by OS, see /etc/apparmor.d/tunables/global for contents.
include <tunables/global>

# `mediate_deleted` instructs apparmor to continue to make policy decisions
# in cases where a confined executable has a file descriptor even after the
# file is removed from the filesystem. It's unclear if this is important for
# sandboxing, but it doesn't seem like it would loosen security or interfere
# with functionality to include it.
#
# `no_attach_disconnected` is default, but is explicitly indicated
# here because `attach_disconnected` is very commonly used in
# example profiles despite being a security risk (due to allowing
# disconnected objects to masquerade as other, trusted paths in the
# filesystem).
profile openedx_codejail_sandbox /home/sandbox/codejail_sandbox/bin/python flags=(mediate_deleted, no_attach_disconnected) {

# Allow access to a variety of commonly needed, generally safe things
# (such as reading /usr/lib, /dev/random, free memory levels, etc.)
#
# Manpage: "Includes files that should be readable and writable in all profiles."
#
# We could instead list these directives explicitly out of caution but
# it would get pretty verbose.
include <abstractions/base>

# Read and run binaries and libraries in the virtualenv. This
# includes the sandbox's copy of Python as well as any
# dependencies that have been installed for inclusion in
# sandboxes.
#
# m: executable mapping, required for shared libraries used by some
# Python dependencies with C compontents, eg `nltk`.
/home/sandbox/codejail_sandbox/** mr,

# Allow access to the temporary directories that are set up by
# codejail, one for each code-exec call. Each /tmp/code-XXXXX
# contains one execution.
/tmp/codejail-*/ rix,
/tmp/codejail-*/** wrix,

# Allow receiving a kill signal from the webapp when the execution
# runs beyond time limits.
signal (receive) set=(kill),
}
Original file line number Diff line number Diff line change
@@ -1,7 +1,9 @@
ubuntu ALL=(sandbox) SETENV:NOPASSWD:/home/sandbox/codejail_sandbox-python3.11/bin/python
# Used for running codejail unit tests.

ubuntu ALL=(sandbox) SETENV:NOPASSWD:/home/sandbox/codejail_sandbox/bin/python
ubuntu ALL=(sandbox) SETENV:NOPASSWD:/usr/bin/find
ubuntu ALL=(ALL) NOPASSWD:/usr/bin/pkill

Defaults!/home/sandbox/codejail_sandbox-python3.11/bin/python !requiretty
Defaults!/home/sandbox/codejail_sandbox/bin/python !requiretty
Defaults!/usr/bin/find !requiretty
Defaults!/usr/bin/pkill !requiretty
7 changes: 0 additions & 7 deletions sudoers-file/01-sandbox-python-3.8

This file was deleted.