diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9cbe03a1..6af8eaa4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -8,29 +8,16 @@ on: jobs: codejail_ci: name: tests - runs-on: ${{ matrix.os }} + runs-on: ubuntu-${{ matrix.ubuntu_version }} strategy: fail-fast: false matrix: - include: - - python_version: '3.11' - ubuntu_version: '20.04' - os: "ubuntu-20.04" - - python_version: '3.11' - ubuntu_version: '22.04' - os: "ubuntu-22.04" - - python_version: '3.11' - ubuntu_version: '24.04' - os: "ubuntu-24.04" + python_version: ['3.11'] + ubuntu_version: ['22.04', '24.04'] steps: - uses: actions/checkout@v4 - - name: Parse custom apparmor profile with default feature ABI - if: ${{ matrix.ubuntu_version == '20.04' }} - run: sudo apparmor_parser -r -W apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python-default-abi - - name: Parse custom apparmor profile with ABI 3.0 - if: ${{ matrix.ubuntu_version != '20.04' }} run: sudo apparmor_parser -r -W apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python-abi3 - name: Build latest code changes into CI image diff --git a/Dockerfile b/Dockerfile index 08fca2be..1ae01b7f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,9 +1,9 @@ -ARG ubuntu_version="20.04" +ARG ubuntu_version="24.04" FROM ubuntu:${ubuntu_version} SHELL ["/bin/bash", "-c"] -ARG python_version="3.8" +ARG python_version="3.11" # Install Codejail Packages ENV TZ=Etc/UTC diff --git a/README.rst b/README.rst index 3b42eaf7..b9e1d282 100644 --- a/README.rst +++ b/README.rst @@ -59,7 +59,6 @@ Python: Ubuntu: -* 20.04 * 22.04 * 24.04 @@ -88,7 +87,7 @@ Other details here that depend on your configuration: 1. Create the new virtualenv, using ``--copies`` so that there's a distinct Python executable to limit:: - $ sudo python3.8 -m venv --copies + $ sudo python3.11 -m venv --copies By default, the virtualenv would just symlink against the system Python, and apparmor's default configuration on some operating systems may prevent confinement from being appled to that. diff --git a/apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python-default-abi b/apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python-default-abi deleted file mode 100644 index 5ac108b1..00000000 --- a/apparmor-profiles/home.sandbox.codejail_sandbox-python3.bin.python-default-abi +++ /dev/null @@ -1,63 +0,0 @@ -#include -profile apparmor_profile /home/sandbox/codejail_sandbox-python{3.[0-9],3.[1-9][0-9]}/bin/python { - #include - #include - - # Deny network access and socket operations - # Note: If this profile is being run on a docker container - # then this directive might not be sufficient. Docker network - # interfaces are created in a different namespace from the one that - # apparmor can monitor and manage and so apparmor can't always deny - # network access to the container. Please be sure to test - # network access from within your container for the jailed process - # to be sure that everything is secure. - deny network, - - /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/**.{pyc,so,so.*[0-9]} mr, - /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/**.{egg,py,pth} r, - /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/{site,dist}-packages/ r, - /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/{site,dist}-packages/**/ r, - /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/{site,dist}-packages/*.dist-info/{METADATA,namespace_packages.txt} r, - /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/{site,dist}-packages/*.VERSION r, - /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.[1-9][0-9]}/{site,dist}-packages/*.egg-info/PKG-INFO r, - /usr/{local/,}lib{,32,64}/python3.{1,}[0-9]/lib-dynload/*.so mr, - - # Site-wide configuration - /etc/python{2.[4-7],3.[0-9],3.[1-9][0-9]}/** r, - - # shared python paths - /usr/share/{pyshared,pycentral,python-support}/** r, - /{var,usr}/lib/{pyshared,pycentral,python-support}/** r, - /usr/lib/{pyshared,pycentral,python-support}/**.so mr, - /var/lib/{pyshared,pycentral,python-support}/**.pyc mr, - /usr/lib/python3/dist-packages/**.so mr, - - # wx paths - /usr/lib/wx/python/*.pth r, - - # python build configuration and headers - /usr/include/python{2.[4-7],3.[0-9],3.[1-9][0-9]}*/pyconfig.h r, - - # Include additions to the abstraction - include if exists - - /home/sandbox/codejail_sandbox-python{3.[0-9],3.[1-9][0-9]}/** mr, - /tmp/codejail-*/ rix, - /tmp/codejail-*/** wrix, - - # Whitelist particiclar shared objects from the system - # python installation - # - /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/_json.so mr, - /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/_ctypes.so mr, - /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/_heapq.so mr, - /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/_io.so mr, - /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/_csv.so mr, - /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/datetime.so mr, - /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/_elementtree.so mr, - /usr/lib/python{3.[0-9],3.[1-9][0-9]}/lib-dynload/pyexpat.so mr, - # - # Allow access to selections from /proc - # - /proc/*/mounts r, -}