diff --git a/codejail.profile b/codejail.profile index dbb4b4e9..e3f403e9 100644 --- a/codejail.profile +++ b/codejail.profile @@ -34,7 +34,7 @@ abi , # the outer one is going to help. But there may be some small value in # defense-in-depth, as it's possible that a bug in the codejail_sandbox (inner) # profile isn't present in the outer one. -profile codejail_service flags=(mediate_deleted) { +profile openedx_codejail_service flags=(mediate_deleted) { # Allow access to a variety of commonly needed, generally safe things # (such as reading /dev/random, free memory, etc.) @@ -60,7 +60,7 @@ profile codejail_service flags=(mediate_deleted) { # Allow sending a kill signal to the codejail_sandbox subprofile when the execution # runs beyond time limits. - signal (send) set=(kill) peer=codejail_service//codejail_sandbox, + signal (send) set=(kill) peer=openedx_codejail_service//codejail_sandbox, # The core of the confinement: When the sandbox Python is executed, switch to # the (extremely constrained) codejail_sandbox profile. @@ -108,6 +108,6 @@ profile codejail_service flags=(mediate_deleted) { # Allow receiving a kill signal from the webapp when the execution # runs beyond time limits. - signal (receive) set=(kill) peer=codejail_service, + signal (receive) set=(kill) peer=openedx_codejail_service, } } diff --git a/docker-compose.yml b/docker-compose.yml index 482f8f30..930dbf8b 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -732,7 +732,7 @@ services: ports: - "18030:8080" security_opt: - - apparmor=codejail_service + - apparmor=openedx_codejail_service xqueue: container_name: "edx.${COMPOSE_PROJECT_NAME:-devstack}.xqueue" diff --git a/docs/codejail.rst b/docs/codejail.rst index f9cba976..dfac6503 100644 --- a/docs/codejail.rst +++ b/docs/codejail.rst @@ -33,7 +33,7 @@ Changes to the AppArmor profile must be coordinated with changes to the Dockerfi Any time you update the profile file, you'll need to update the profile in your OS as well: ``sudo apparmor_parser --replace -W ./codejail.profile`` -The profile file contains the directive ``profile codejail_service``. That defines the name of the profile when it is installed into the OS, and must agree with the relevant ``security_opt`` line in ``docker-compose.yml``. This name should not be changed, as it creates a confusing situation and would require every developer who uses codejail-service to do a number of manual steps. (Profiles can't be renamed *within* the OS; they must first be removed **under the old name**, and then a new profile must be installed under the new name.) +The profile file contains the directive ``profile openedx_codejail_service``. That defines the name of the profile when it is installed into the OS, and must agree with the relevant ``security_opt`` line in ``docker-compose.yml``. This name should not be changed, as it creates a confusing situation and would require every developer who uses codejail-service to do a number of manual steps. (Profiles can't be renamed *within* the OS; they must first be removed **under the old name**, and then a new profile must be installed under the new name.) Debugging ********* diff --git a/py_configuration_files/codejail.py b/py_configuration_files/codejail.py index eb884004..44c4857c 100644 --- a/py_configuration_files/codejail.py +++ b/py_configuration_files/codejail.py @@ -21,9 +21,11 @@ 'limits': { # CPU-seconds 'CPU': 3, - # 100 MiB memory - 'VMEM': 100 * 1024 * 1024, # Clock seconds 'REALTIME': 3, + # 100 MiB memory + 'VMEM': 100 * 1024 * 1024, + # 1 MB file write limit + 'FSIZE': 1 * 1024 * 1024, }, }