Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
C
configuration
Overview
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
OpenEdx
configuration
Commits
4cea38ef
Commit
4cea38ef
authored
11 years ago
by
Feanil Patel
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Setup apparmor for xserver.
parent
1c4034bd
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
61 additions
and
0 deletions
+61
-0
playbooks/roles/xserver/files/01-sandbox
+1
-0
playbooks/roles/xserver/files/sandbox.conf
+16
-0
playbooks/roles/xserver/files/usr.bin.python-sandbox
+13
-0
playbooks/roles/xserver/tasks/main.yml
+31
-0
No files found.
playbooks/roles/xserver/files/01-sandbox
0 → 100644
View file @
4cea38ef
makeitso ALL=(sandbox) NOPASSWD:/usr/bin/python-sandbox
This diff is collapsed.
Click to expand it.
playbooks/roles/xserver/files/sandbox.conf
0 → 100644
View file @
4cea38ef
sandbox
hard
core
0
sandbox
hard
data
100000
sandbox
hard
fsize
10000
sandbox
hard
memlock
10000
sandbox
hard
nofile
20
sandbox
hard
rss
10000
sandbox
hard
stack
100000
sandbox
hard
cpu
0
sandbox
hard
nproc
8
sandbox
hard
as
32000
sandbox
hard
maxlogins
1
sandbox
hard
priority
19
sandbox
hard
locks
4
sandbox
hard
sigpending
100
sandbox
hard
msgqueue
100000
sandbox
hard
nice
19
This diff is collapsed.
Click to expand it.
playbooks/roles/xserver/files/usr.bin.python-sandbox
0 → 100644
View file @
4cea38ef
#include <tunables/global>
/usr/bin/python-sandbox {
#include <abstractions/base>
/usr/bin/python-sandbox mr,
/usr/include/python2.7/** r,
/usr/local/lib/python2.7/** r,
/usr/lib/python2.7** rix,
/tmp/** rix,
}
This diff is collapsed.
Click to expand it.
playbooks/roles/xserver/tasks/main.yml
View file @
4cea38ef
# Provision and bring up xserver
---
-
name
:
ensure sandbox group exists
group
:
name=sandbox
-
name
:
ensure sandbox user exists
user
:
name=sandbox group=sandbox
-
name
:
create sandbox python
shell
:
cp /usr/bin/python2.7 /usr/bin/python-sandbox
-
name
:
set sandbox sudoers settings
copy
:
src=01-sandbox dest=/etc/sudoers.d/01-sandbox
# Make sure this line is in the common-session file.
-
name
:
ensure pam-limits module is loaded
lineinfile
:
dest=/etc/pam.d/common-session
regexp="session required pam_limits.so"
line="session required pam_limits.so"
-
name
:
set sandbox limits
copy
:
src=sandbox.conf dest=/etc/security/limits.d/sandbox.conf
-
name
:
ensure apparmor package
apt
:
pkg=apparmor-utils state=present
-
name
:
load python-sandbox apparmor profile
copy
:
src=usr.bin.python-sandbox dest=/etc/apparmor.d/usr.bin.python-sandbox
-
name
:
enforce app-armor rules
shell
:
aa-enforce /usr/bin/python-sandbox
-
include
:
deploy.yml
This diff is collapsed.
Click to expand it.
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
