fixup! feat: Build multiple test containers for codejail.

openedx · Apr 29, 2024 · 2c4d47a · 2c4d47a
1 parent 404ee69
commit 2c4d47a
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 11 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -31,7 +31,7 @@ jobs:
         uses: aws-actions/amazon-ecr-login@v1
 
       - name: Parse custom apparmor profile
-        run: sudo apparmor_parser -r -W apparmor-profiles/home.sandbox.codejail_sandbox-python${{ matrix.python_version }}.bin.python
+        run: sudo apparmor_parser -r -W apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python
 
       - name: Pull codejail CI image
         run: docker pull 257477529851.dkr.ecr.us-east-1.amazonaws.com/openedx-codejail:latest

diff --git a/apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python b/apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python
@@ -1,24 +1,52 @@
 #include <tunables/global>
 
-profile apparmor_profile /home/sandbox/codejail_sandbox-python3.11/bin/python {
+profile apparmor_profile /home/sandbox/codejail_sandbox-python{3.[0-9],3.[1-9][0-9]}/bin/python {
     #include <abstractions/base>
     #include <abstractions/python>
 
-    /home/sandbox/codejail_sandbox-python3.11/** mr,
+    /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/**.{pyc,so,so.*[0-9]} mr,
+    /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/**.{egg,py,pth}       r,
+    /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/{site,dist}-packages/ r,
+    /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/{site,dist}-packages/**/ r,
+    /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/{site,dist}-packages/*.dist-info/{METADATA,namespace_packages.txt} r,
+    /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/{site,dist}-packages/*.VERSION r,
+    /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/{site,dist}-packages/*.egg-info/PKG-INFO r,
+    /usr/{local/,}lib{,32,64}/python3.{1,}[0-9]/lib-dynload/*.so            mr,
+
+    # Site-wide configuration
+    /etc/python{2.[4-7],3.[0-9],3.[1-9][0-9]}/** r,
+
+    # shared python paths
+    /usr/share/{pyshared,pycentral,python-support}/**      r,
+    /{var,usr}/lib/{pyshared,pycentral,python-support}/**  r,
+    /usr/lib/{pyshared,pycentral,python-support}/**.so     mr,
+    /var/lib/{pyshared,pycentral,python-support}/**.pyc    mr,
+    /usr/lib/python3/dist-packages/**.so          mr,
+
+    # wx paths
+    /usr/lib/wx/python/*.pth r,
+
+    # python build configuration and headers
+    /usr/include/python{2.[4-7],3.[0-9],3.[1-9][0-9]}*/pyconfig.h r,
+
+    # Include additions to the abstraction
+    include if exists <abstractions/python.d>
+
+    /home/sandbox/codejail_sandbox-python{3.[0-9],3.[1-9][0-9]}/** mr,
     /tmp/codejail-*/ rix,
     /tmp/codejail-*/** wrix,
 
     # Whitelist particiclar shared objects from the system
     # python installation
     #
-    /usr/lib/python3.11/lib-dynload/_json.so mr,
-    /usr/lib/python3.11/lib-dynload/_ctypes.so mr,
-    /usr/lib/python3.11/lib-dynload/_heapq.so mr,
-    /usr/lib/python3.11/lib-dynload/_io.so mr,
-    /usr/lib/python3.11/lib-dynload/_csv.so mr,
-    /usr/lib/python3.11/lib-dynload/datetime.so mr,
-    /usr/lib/python3.11/lib-dynload/_elementtree.so mr,
-    /usr/lib/python3.11/lib-dynload/pyexpat.so mr,
+    /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/_json.so mr,
+    /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/_ctypes.so mr,
+    /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/_heapq.so mr,
+    /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/_io.so mr,
+    /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/_csv.so mr,
+    /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/datetime.so mr,
+    /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/_elementtree.so mr,
+    /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/pyexpat.so mr,
     #
     # Allow access to selections from /proc
     #