From a9c3b317d04899acd364d049690a45bb9b7dcb2d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mois=C3=A9s=20Gonz=C3=A1lez?= Date: Thu, 7 Nov 2024 13:01:07 -0400 Subject: [PATCH] test: load aa-profiles with compatible ABIs for the host (#207) When not specified AppArmor fallbacks to a default policy specified in the `/etc/apparmor/parser.conf` file. Ubuntu 24.04 does not pin an ABI with network features and such rules are not enforced. From Ubuntu 22.04 onwards, the ABI 3.0 is available so we use that one. For Ubuntu 20.04 we rely on the fallback ABI (2.13). --- .github/workflows/ci.yml | 17 +++-- README.rst | 30 +++++++++ ...x.codejail_sandbox-python3.bin.python-abi3 | 64 +++++++++++++++++++ ...il_sandbox-python3.bin.python-default-abi} | 1 - codejail/__init__.py | 2 +- 5 files changed, 105 insertions(+), 9 deletions(-) create mode 100644 apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python-abi3 rename apparmor-profiles/{home.sandbox.codejail_sandbox-python3.bin.python => home.sandbox.codejail_sandbox-python3.bin.python-default-abi} (99%) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ed7fcef5..9cbe03a1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -19,16 +19,19 @@ jobs: - python_version: '3.11' ubuntu_version: '22.04' os: "ubuntu-22.04" - # Disabling this for now because it's failing and we need to figure out - # next steps to fix this. - # - python_version: '3.11' - # ubuntu_version: '24.04' - # os: "ubuntu-24.04" + - python_version: '3.11' + ubuntu_version: '24.04' + os: "ubuntu-24.04" steps: - uses: actions/checkout@v4 - - name: Parse custom apparmor profile - run: sudo apparmor_parser -r -W apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python + - name: Parse custom apparmor profile with default feature ABI + if: ${{ matrix.ubuntu_version == '20.04' }} + run: sudo apparmor_parser -r -W apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python-default-abi + + - name: Parse custom apparmor profile with ABI 3.0 + if: ${{ matrix.ubuntu_version != '20.04' }} + run: sudo apparmor_parser -r -W apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python-abi3 - name: Build latest code changes into CI image run: | diff --git a/README.rst b/README.rst index 5c7fba0a..3b42eaf7 100644 --- a/README.rst +++ b/README.rst @@ -61,6 +61,7 @@ Ubuntu: * 20.04 * 22.04 +* 24.04 Installation ------------ @@ -137,6 +138,35 @@ Other details here that depend on your configuration: /tmp/codejail-*/** wrix, } + Depending on your OS and AppArmor version you may need to specify a policy + ABI to ensure the restrictions are being correctly applied. Modern ubuntu + versions using AppArmor V3 should use the 3.0 ABI in order to enable + network confinment rules. A profile using the ABI 3.0 would look as + follows:: + + $ sudo vim /etc/apparmor.d/home.chris.ve.myproj-sandbox.bin.python + + abi , + #include + + /bin/python { + #include + #include + + /** mr, + /** mr, + # If you have code that the sandbox must be able to access, add lines + # pointing to those directories: + /the/path/to/your/sandbox-packages/** r, + + /tmp/codejail-*/ rix, + /tmp/codejail-*/** wrix, + } + + You can also look at the + ``apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python-abi3`` + file which is used for testing for a full profile example. + 6. Parse the profiles:: $ sudo apparmor_parser diff --git a/apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python-abi3 b/apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python-abi3 new file mode 100644 index 00000000..3183954a --- /dev/null +++ b/apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python-abi3 @@ -0,0 +1,64 @@ +abi , +#include +profile apparmor_profile /home/sandbox/codejail_sandbox-python{3.[0-9],3.[1-9][0-9]}/bin/python { + #include + #include + + # Deny network access and socket operations + # Note: If this profile is being run on a docker container + # then this directive might not be sufficient. Docker network + # interfaces are created in a different namespace from the one that + # apparmor can monitor and manage and so apparmor can't always deny + # network access to the container. Please be sure to test + # network access from within your container for the jailed process + # to be sure that everything is secure. + deny network, + + /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/**.{pyc,so,so.*[0-9]} mr, + /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/**.{egg,py,pth} r, + /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/{site,dist}-packages/ r, + /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/{site,dist}-packages/**/ r, + /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/{site,dist}-packages/*.dist-info/{METADATA,namespace_packages.txt} r, + /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/{site,dist}-packages/*.VERSION r, + /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/{site,dist}-packages/*.egg-info/PKG-INFO r, + /usr/{local/,}lib{,32,64}/python3.{1,}[0-9]/lib-dynload/*.so mr, + + # Site-wide configuration + /etc/python{2.[4-7],3.[0-9],3.[1-9][0-9]}/** r, + + # shared python paths + /usr/share/{pyshared,pycentral,python-support}/** r, + /{var,usr}/lib/{pyshared,pycentral,python-support}/** r, + /usr/lib/{pyshared,pycentral,python-support}/**.so mr, + /var/lib/{pyshared,pycentral,python-support}/**.pyc mr, + /usr/lib/python3/dist-packages/**.so mr, + + # wx paths + /usr/lib/wx/python/*.pth r, + + # python build configuration and headers + /usr/include/python{2.[4-7],3.[0-9],3.[1-9][0-9]}*/pyconfig.h r, + + # Include additions to the abstraction + include if exists + + /home/sandbox/codejail_sandbox-python{3.[0-9],3.[1-9][0-9]}/** mr, + /tmp/codejail-*/ rix, + /tmp/codejail-*/** wrix, + + # Whitelist particiclar shared objects from the system + # python installation + # + /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/_json.so mr, + /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/_ctypes.so mr, + /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/_heapq.so mr, + /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/_io.so mr, + /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/_csv.so mr, + /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/datetime.so mr, + /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/_elementtree.so mr, + /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/pyexpat.so mr, + # + # Allow access to selections from /proc + # + /proc/*/mounts r, +} diff --git a/apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python b/apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python-default-abi similarity index 99% rename from apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python rename to apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python-default-abi index ec95f8b4..5ac108b1 100644 --- a/apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python +++ b/apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python-default-abi @@ -1,5 +1,4 @@ #include - profile apparmor_profile /home/sandbox/codejail_sandbox-python{3.[0-9],3.[1-9][0-9]}/bin/python { #include #include diff --git a/codejail/__init__.py b/codejail/__init__.py index 291836b2..b39c74e2 100644 --- a/codejail/__init__.py +++ b/codejail/__init__.py @@ -1,3 +1,3 @@ """init""" -__version__ = '3.5.1' +__version__ = '3.5.2'