A couple tweaks to codejail config

codejail.profile

@@ -34,7 +34,7 @@ abi <abi/3.0>,
 # the outer one is going to help. But there may be some small value in
 # defense-in-depth, as it's possible that a bug in the codejail_sandbox (inner)
 # profile isn't present in the outer one.
-profile codejail_service flags=(mediate_deleted) {
+profile openedx_codejail_service flags=(mediate_deleted) {
 
     # Allow access to a variety of commonly needed, generally safe things
     # (such as reading /dev/random, free memory, etc.)
@@ -60,7 +60,7 @@ profile codejail_service flags=(mediate_deleted) {
 
     # Allow sending a kill signal to the codejail_sandbox subprofile when the execution
     # runs beyond time limits.
-    signal (send) set=(kill) peer=codejail_service//codejail_sandbox,
+    signal (send) set=(kill) peer=openedx_codejail_service//codejail_sandbox,
 
     # The core of the confinement: When the sandbox Python is executed, switch to
     # the (extremely constrained) codejail_sandbox profile.
@@ -108,6 +108,6 @@ profile codejail_service flags=(mediate_deleted) {
 
         # Allow receiving a kill signal from the webapp when the execution
         # runs beyond time limits.
-        signal (receive) set=(kill) peer=codejail_service,
+        signal (receive) set=(kill) peer=openedx_codejail_service,
     }
 }

docker-compose.yml

@@ -732,7 +732,7 @@ services:
     ports:
       - "18030:8080"
     security_opt:
-      - apparmor=codejail_service
+      - apparmor=openedx_codejail_service
 
   xqueue:
     container_name: "edx.${COMPOSE_PROJECT_NAME:-devstack}.xqueue"

docs/codejail.rst

@@ -33,7 +33,7 @@ Changes to the AppArmor profile must be coordinated with changes to the Dockerfi
 
 Any time you update the profile file, you'll need to update the profile in your OS as well: ``sudo apparmor_parser --replace -W ./codejail.profile``
 
-The profile file contains the directive ``profile codejail_service``. That defines the name of the profile when it is installed into the OS, and must agree with the relevant ``security_opt`` line in ``docker-compose.yml``. This name should not be changed, as it creates a confusing situation and would require every developer who uses codejail-service to do a number of manual steps. (Profiles can't be renamed *within* the OS; they must first be removed **under the old name**, and then a new profile must be installed under the new name.)
+The profile file contains the directive ``profile openedx_codejail_service``. That defines the name of the profile when it is installed into the OS, and must agree with the relevant ``security_opt`` line in ``docker-compose.yml``. This name should not be changed, as it creates a confusing situation and would require every developer who uses codejail-service to do a number of manual steps. (Profiles can't be renamed *within* the OS; they must first be removed **under the old name**, and then a new profile must be installed under the new name.)
 
 Debugging
 *********

py_configuration_files/codejail.py

@@ -21,9 +21,11 @@
     'limits': {
         # CPU-seconds
         'CPU': 3,
-        # 100 MiB memory
-        'VMEM': 100 * 1024 * 1024,
         # Clock seconds
         'REALTIME': 3,
+        # 100 MiB memory
+        'VMEM': 100 * 1024 * 1024,
+        # 1 MB file write limit
+        'FSIZE': 1 * 1024 * 1024,
     },
 }