feat!: Rename codejail apparmor profile to add openedx prefix

timmc-edx · timmc-edx · commit 8bf42bc8b82b · 2025-03-03T22:34:51.000Z
AppArmor profiles are global within the OS, so we should use a name that is
better guaranteed to not conflict. Choosing an openedx prefix also gives
operators a hint when they're trying to manage installed profiles in the OS
and establishes precedent for future profiles.
diff --git a/codejail.profile b/codejail.profile
@@ -34,7 +34,7 @@ abi <abi/3.0>,
 # the outer one is going to help. But there may be some small value in
 # defense-in-depth, as it's possible that a bug in the codejail_sandbox (inner)
 # profile isn't present in the outer one.
-profile codejail_service flags=(mediate_deleted) {
+profile openedx_codejail_service flags=(mediate_deleted) {
 
     # Allow access to a variety of commonly needed, generally safe things
     # (such as reading /dev/random, free memory, etc.)
@@ -60,7 +60,7 @@ profile codejail_service flags=(mediate_deleted) {
 
     # Allow sending a kill signal to the codejail_sandbox subprofile when the execution
     # runs beyond time limits.
-    signal (send) set=(kill) peer=codejail_service//codejail_sandbox,
+    signal (send) set=(kill) peer=openedx_codejail_service//codejail_sandbox,
 
     # The core of the confinement: When the sandbox Python is executed, switch to
     # the (extremely constrained) codejail_sandbox profile.
@@ -108,6 +108,6 @@ profile codejail_service flags=(mediate_deleted) {
 
         # Allow receiving a kill signal from the webapp when the execution
         # runs beyond time limits.
-        signal (receive) set=(kill) peer=codejail_service,
+        signal (receive) set=(kill) peer=openedx_codejail_service,
     }
 }
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -732,7 +732,7 @@ services:
     ports:
       - "18030:8080"
     security_opt:
-      - apparmor=codejail_service
+      - apparmor=openedx_codejail_service
 
   xqueue:
     container_name: "edx.${COMPOSE_PROJECT_NAME:-devstack}.xqueue"
diff --git a/docs/codejail.rst b/docs/codejail.rst
@@ -33,7 +33,7 @@ Changes to the AppArmor profile must be coordinated with changes to the Dockerfi
 
 Any time you update the profile file, you'll need to update the profile in your OS as well: ``sudo apparmor_parser --replace -W ./codejail.profile``
 
-The profile file contains the directive ``profile codejail_service``. That defines the name of the profile when it is installed into the OS, and must agree with the relevant ``security_opt`` line in ``docker-compose.yml``. This name should not be changed, as it creates a confusing situation and would require every developer who uses codejail-service to do a number of manual steps. (Profiles can't be renamed *within* the OS; they must first be removed **under the old name**, and then a new profile must be installed under the new name.)
+The profile file contains the directive ``profile openedx_codejail_service``. That defines the name of the profile when it is installed into the OS, and must agree with the relevant ``security_opt`` line in ``docker-compose.yml``. This name should not be changed, as it creates a confusing situation and would require every developer who uses codejail-service to do a number of manual steps. (Profiles can't be renamed *within* the OS; they must first be removed **under the old name**, and then a new profile must be installed under the new name.)
 
 Debugging
 *********
