-
Notifications
You must be signed in to change notification settings - Fork 81
Expand file tree
/
Copy pathhome.sandbox.codejail_sandbox-python3.bin.python-abi3
More file actions
64 lines (55 loc) · 2.99 KB
/
home.sandbox.codejail_sandbox-python3.bin.python-abi3
File metadata and controls
64 lines (55 loc) · 2.99 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
abi <abi/3.0>,
#include <tunables/global>
profile apparmor_profile /home/sandbox/codejail_sandbox-python{3.[0-9],3.[1-9][0-9]}/bin/python {
#include <abstractions/base>
#include <abstractions/python>
# Deny network access and socket operations
# Note: If this profile is being run on a docker container
# then this directive might not be sufficient. Docker network
# interfaces are created in a different namespace from the one that
# apparmor can monitor and manage and so apparmor can't always deny
# network access to the container. Please be sure to test
# network access from within your container for the jailed process
# to be sure that everything is secure.
deny network,
/usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/**.{pyc,so,so.*[0-9]} mr,
/usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/**.{egg,py,pth} r,
/usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/{site,dist}-packages/ r,
/usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/{site,dist}-packages/**/ r,
/usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/{site,dist}-packages/*.dist-info/{METADATA,namespace_packages.txt} r,
/usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/{site,dist}-packages/*.VERSION r,
/usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/{site,dist}-packages/*.egg-info/PKG-INFO r,
/usr/{local/,}lib{,32,64}/python3.{1,}[0-9]/lib-dynload/*.so mr,
# Site-wide configuration
/etc/python{2.[4-7],3.[0-9],3.[1-9][0-9]}/** r,
# shared python paths
/usr/share/{pyshared,pycentral,python-support}/** r,
/{var,usr}/lib/{pyshared,pycentral,python-support}/** r,
/usr/lib/{pyshared,pycentral,python-support}/**.so mr,
/var/lib/{pyshared,pycentral,python-support}/**.pyc mr,
/usr/lib/python3/dist-packages/**.so mr,
# wx paths
/usr/lib/wx/python/*.pth r,
# python build configuration and headers
/usr/include/python{2.[4-7],3.[0-9],3.[1-9][0-9]}*/pyconfig.h r,
# Include additions to the abstraction
include if exists <abstractions/python.d>
/home/sandbox/codejail_sandbox-python{3.[0-9],3.[1-9][0-9]}/** mr,
/tmp/codejail-*/ rix,
/tmp/codejail-*/** wrix,
# Whitelist particiclar shared objects from the system
# python installation
#
/usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/_json.so mr,
/usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/_ctypes.so mr,
/usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/_heapq.so mr,
/usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/_io.so mr,
/usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/_csv.so mr,
/usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/datetime.so mr,
/usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/_elementtree.so mr,
/usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/pyexpat.so mr,
#
# Allow access to selections from /proc
#
/proc/*/mounts r,
}