Merge pull request #1082 from edx/dcs/aaenforce

Added pyexpat to whitelisted shared objects, and flipped apparmor mode to enforce.

Merge pull request #1082 from edx/dcs/aaenforce
Added pyexpat to whitelisted shared objects, and flipped apparmor mode to enforce.
9a0d0547 · Dave St.Germain · 5d42cd97 · 60b8c4ec · 9a0d0547
Commit 9a0d0547 authored May 12, 2014 by Dave St.Germain
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 1 deletions

playbooks/roles/edxapp/templates/code.sandbox.j2
+5 -1

No files found.
--- a/playbooks/roles/edxapp/templates/code.sandbox.j2
+++ b/playbooks/roles/edxapp/templates/code.sandbox.j2
 #include <tunables/global>

-{{ edxapp_sandbox_venv_dir }}/bin/python flags=(complain) {
+{{ edxapp_sandbox_venv_dir }}/bin/python {
    #include <abstractions/base>

    {{ edxapp_sandbox_venv_dir }}/** mr,
@@ -19,10 +19,14 @@
    /usr/lib/python2.7/lib-dynload/_csv.so mr,
    /usr/lib/python2.7/lib-dynload/datetime.so mr,
    /usr/lib/python2.7/lib-dynload/_elementtree.so mr,
+    /usr/lib/python2.7/lib-dynload/pyexpat.so mr,

    #
    # Allow access to selections from /proc
    #
    /proc/*/mounts r,
+    
+    /tmp/codejail-*/ rix,
+    /tmp/codejail-*/** wrix,

 }