test: load aa-profiles with compatible ABIs for the host (#207)

MoisesGSalas · web-flow · commit a9c3b317d048 · 2024-11-07T13:01:07.000-04:00
When not specified AppArmor fallbacks to a default policy specified in
the `/etc/apparmor/parser.conf` file. Ubuntu 24.04 does not pin an ABI
with network features and such rules are not enforced.

From Ubuntu 22.04 onwards, the ABI 3.0 is available so we use that one.
For Ubuntu 20.04 we rely on the fallback ABI (2.13).
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -19,16 +19,19 @@ jobs:
           - python_version: '3.11'
             ubuntu_version: '22.04'
             os: "ubuntu-22.04"
-          # Disabling this for now because it's failing and we need to figure out
-          # next steps to fix this.
-          # - python_version: '3.11'
-          #   ubuntu_version: '24.04'
-          #   os: "ubuntu-24.04"
+          - python_version: '3.11'
+            ubuntu_version: '24.04'
+            os: "ubuntu-24.04"
 
     steps:
       - uses: actions/checkout@v4
-      - name: Parse custom apparmor profile
-        run: sudo apparmor_parser -r -W apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python
+      - name: Parse custom apparmor profile with default feature ABI
+        if: ${{ matrix.ubuntu_version == '20.04' }}
+        run: sudo apparmor_parser -r -W apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python-default-abi
+
+      - name: Parse custom apparmor profile with ABI 3.0
+        if: ${{ matrix.ubuntu_version != '20.04' }}
+        run: sudo apparmor_parser -r -W apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python-abi3
 
       - name: Build latest code changes into CI image
         run: |
diff --git a/README.rst b/README.rst
@@ -61,6 +61,7 @@ Ubuntu:
 
 * 20.04
 * 22.04
+* 24.04
 
 Installation
 ------------
@@ -137,6 +138,35 @@ Other details here that depend on your configuration:
         /tmp/codejail-*/** wrix,
     }
 
+   Depending on your OS and AppArmor version you may need to specify a policy
+   ABI to ensure the restrictions are being correctly applied. Modern ubuntu
+   versions using AppArmor V3 should use the 3.0 ABI in order to enable
+   network confinment rules. A profile using the ABI 3.0 would look as
+   follows::
+
+     $ sudo vim /etc/apparmor.d/home.chris.ve.myproj-sandbox.bin.python
+
+     abi <abi/3.0>,
+     #include <tunables/global>
+
+     <SANDENV>/bin/python {
+         #include <abstractions/base>
+         #include <abstractions/python>
+
+         <CODEJAIL_CHECKOUT>/** mr,
+         <SANDENV>/** mr,
+         # If you have code that the sandbox must be able to access, add lines
+         # pointing to those directories:
+         /the/path/to/your/sandbox-packages/** r,
+
+         /tmp/codejail-*/ rix,
+         /tmp/codejail-*/** wrix,
+     }
+
+   You can also look at the
+   ``apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python-abi3``
+   file which is used for testing for a full profile example.
+
 6. Parse the profiles::
 
     $ sudo apparmor_parser <APPARMOR_FILE>
diff --git a/apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python-abi3 b/apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python-abi3
@@ -0,0 +1,64 @@
+abi <abi/3.0>,
+#include <tunables/global>
+profile apparmor_profile /home/sandbox/codejail_sandbox-python{3.[0-9],3.[1-9][0-9]}/bin/python {
+    #include <abstractions/base>
+    #include <abstractions/python>
+
+    # Deny network access and socket operations
+    # Note: If this profile is being run on a docker container
+    # then this directive might not be sufficient.  Docker network
+    # interfaces are created in a different namespace from the one that
+    # apparmor can monitor and manage and so apparmor can't always deny
+    # network access to the container.  Please be sure to test
+    # network access from within your container for the jailed process
+    # to be sure that everything is secure.
+    deny network,
+
+    /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/**.{pyc,so,so.*[0-9]} mr,
+    /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/**.{egg,py,pth}       r,
+    /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/{site,dist}-packages/ r,
+    /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/{site,dist}-packages/**/ r,
+    /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/{site,dist}-packages/*.dist-info/{METADATA,namespace_packages.txt} r,
+    /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/{site,dist}-packages/*.VERSION r,
+    /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/{site,dist}-packages/*.egg-info/PKG-INFO r,
+    /usr/{local/,}lib{,32,64}/python3.{1,}[0-9]/lib-dynload/*.so            mr,
+
+    # Site-wide configuration
+    /etc/python{2.[4-7],3.[0-9],3.[1-9][0-9]}/** r,
+
+    # shared python paths
+    /usr/share/{pyshared,pycentral,python-support}/**      r,
+    /{var,usr}/lib/{pyshared,pycentral,python-support}/**  r,
+    /usr/lib/{pyshared,pycentral,python-support}/**.so     mr,
+    /var/lib/{pyshared,pycentral,python-support}/**.pyc    mr,
+    /usr/lib/python3/dist-packages/**.so          mr,
+
+    # wx paths
+    /usr/lib/wx/python/*.pth r,
+
+    # python build configuration and headers
+    /usr/include/python{2.[4-7],3.[0-9],3.[1-9][0-9]}*/pyconfig.h r,
+
+    # Include additions to the abstraction
+    include if exists <abstractions/python.d>
+
+    /home/sandbox/codejail_sandbox-python{3.[0-9],3.[1-9][0-9]}/** mr,
+    /tmp/codejail-*/ rix,
+    /tmp/codejail-*/** wrix,
+
+    # Whitelist particiclar shared objects from the system
+    # python installation
+    #
+    /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/_json.so mr,
+    /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/_ctypes.so mr,
+    /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/_heapq.so mr,
+    /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/_io.so mr,
+    /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/_csv.so mr,
+    /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/datetime.so mr,
+    /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/_elementtree.so mr,
+    /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/pyexpat.so mr,
+    #
+    # Allow access to selections from /proc
+    #
+    /proc/*/mounts r,
+}
diff --git a/apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python-default-abi b/apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python-default-abi
@@ -1,5 +1,4 @@
 #include <tunables/global>
-
 profile apparmor_profile /home/sandbox/codejail_sandbox-python{3.[0-9],3.[1-9][0-9]}/bin/python {
     #include <abstractions/base>
     #include <abstractions/python>
diff --git a/codejail/__init__.py b/codejail/__init__.py
@@ -1,3 +1,3 @@
 """init"""
 
-__version__ = '3.5.1'
+__version__ = '3.5.2'

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,4 @@`
`1`	`1`	`#include <tunables/global>`
`2`		`-`
`3`	`2`	`profile apparmor_profile /home/sandbox/codejail_sandbox-python{3.[0-9],3.[1-9][0-9]}/bin/python {`
`4`	`3`	`#include <abstractions/base>`
`5`	`4`	`#include <abstractions/python>`
Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,3 @@`
`1`	`1`	`"""init"""`
`2`	`2`
`3`		`-__version__ = '3.5.1'`
	`3`	`+__version__ = '3.5.2'`