diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ed7fcef5..9cbe03a1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -19,16 +19,19 @@ jobs: - python_version: '3.11' ubuntu_version: '22.04' os: "ubuntu-22.04" - # Disabling this for now because it's failing and we need to figure out - # next steps to fix this. - # - python_version: '3.11' - # ubuntu_version: '24.04' - # os: "ubuntu-24.04" + - python_version: '3.11' + ubuntu_version: '24.04' + os: "ubuntu-24.04" steps: - uses: actions/checkout@v4 - - name: Parse custom apparmor profile - run: sudo apparmor_parser -r -W apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python + - name: Parse custom apparmor profile with default feature ABI + if: ${{ matrix.ubuntu_version == '20.04' }} + run: sudo apparmor_parser -r -W apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python-default-abi + + - name: Parse custom apparmor profile with ABI 3.0 + if: ${{ matrix.ubuntu_version != '20.04' }} + run: sudo apparmor_parser -r -W apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python-abi3 - name: Build latest code changes into CI image run: | diff --git a/README.rst b/README.rst index 5c7fba0a..3b42eaf7 100644 --- a/README.rst +++ b/README.rst @@ -61,6 +61,7 @@ Ubuntu: * 20.04 * 22.04 +* 24.04 Installation ------------ @@ -137,6 +138,35 @@ Other details here that depend on your configuration: /tmp/codejail-*/** wrix, } + Depending on your OS and AppArmor version you may need to specify a policy + ABI to ensure the restrictions are being correctly applied. Modern ubuntu + versions using AppArmor V3 should use the 3.0 ABI in order to enable + network confinment rules. A profile using the ABI 3.0 would look as + follows:: + + $ sudo vim /etc/apparmor.d/home.chris.ve.myproj-sandbox.bin.python + + abi , + #include + + /bin/python { + #include + #include + + /** mr, + /** mr, + # If you have code that the sandbox must be able to access, add lines + # pointing to those directories: + /the/path/to/your/sandbox-packages/** r, + + /tmp/codejail-*/ rix, + /tmp/codejail-*/** wrix, + } + + You can also look at the + ``apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python-abi3`` + file which is used for testing for a full profile example. + 6. Parse the profiles:: $ sudo apparmor_parser diff --git a/apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python-abi3 b/apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python-abi3 new file mode 100644 index 00000000..3183954a --- /dev/null +++ b/apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python-abi3 @@ -0,0 +1,64 @@ +abi , +#include +profile apparmor_profile /home/sandbox/codejail_sandbox-python{3.[0-9],3.[1-9][0-9]}/bin/python { + #include + #include + + # Deny network access and socket operations + # Note: If this profile is being run on a docker container + # then this directive might not be sufficient. Docker network + # interfaces are created in a different namespace from the one that + # apparmor can monitor and manage and so apparmor can't always deny + # network access to the container. Please be sure to test + # network access from within your container for the jailed process + # to be sure that everything is secure. + deny network, + + /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/**.{pyc,so,so.*[0-9]} mr, + /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/**.{egg,py,pth} r, + /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/{site,dist}-packages/ r, + /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/{site,dist}-packages/**/ r, + /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/{site,dist}-packages/*.dist-info/{METADATA,namespace_packages.txt} r, + /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/{site,dist}-packages/*.VERSION r, + /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/{site,dist}-packages/*.egg-info/PKG-INFO r, + /usr/{local/,}lib{,32,64}/python3.{1,}[0-9]/lib-dynload/*.so mr, + + # Site-wide configuration + /etc/python{2.[4-7],3.[0-9],3.[1-9][0-9]}/** r, + + # shared python paths + /usr/share/{pyshared,pycentral,python-support}/** r, + /{var,usr}/lib/{pyshared,pycentral,python-support}/** r, + /usr/lib/{pyshared,pycentral,python-support}/**.so mr, + /var/lib/{pyshared,pycentral,python-support}/**.pyc mr, + /usr/lib/python3/dist-packages/**.so mr, + + # wx paths + /usr/lib/wx/python/*.pth r, + + # python build configuration and headers + /usr/include/python{2.[4-7],3.[0-9],3.[1-9][0-9]}*/pyconfig.h r, + + # Include additions to the abstraction + include if exists + + /home/sandbox/codejail_sandbox-python{3.[0-9],3.[1-9][0-9]}/** mr, + /tmp/codejail-*/ rix, + /tmp/codejail-*/** wrix, + + # Whitelist particiclar shared objects from the system + # python installation + # + /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/_json.so mr, + /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/_ctypes.so mr, + /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/_heapq.so mr, + /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/_io.so mr, + /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/_csv.so mr, + /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/datetime.so mr, + /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/_elementtree.so mr, + /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/pyexpat.so mr, + # + # Allow access to selections from /proc + # + /proc/*/mounts r, +} diff --git a/apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python b/apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python-default-abi similarity index 99% rename from apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python rename to apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python-default-abi index ec95f8b4..5ac108b1 100644 --- a/apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python +++ b/apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python-default-abi @@ -1,5 +1,4 @@ #include - profile apparmor_profile /home/sandbox/codejail_sandbox-python{3.[0-9],3.[1-9][0-9]}/bin/python { #include #include diff --git a/codejail/__init__.py b/codejail/__init__.py index 291836b2..b39c74e2 100644 --- a/codejail/__init__.py +++ b/codejail/__init__.py @@ -1,3 +1,3 @@ """init""" -__version__ = '3.5.1' +__version__ = '3.5.2'