Merge pull request #4681 from edx/derf/xserver_sandbox_apparmor

xserver sandbox apparmor

Merge pull request #4681 from edx/derf/xserver_sandbox_apparmor
xserver sandbox apparmor
5fa7a6cb · Fred Smith · GitHub · 3fed8dd3 · daa711d3 · 5fa7a6cb
Unverified Commit 5fa7a6cb authored Jul 11, 2018 by Fred Smith Committed by GitHub Jul 11, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 5 deletions

playbooks/roles/xserver/tasks/main.yml
+2 -2

playbooks/roles/xserver/templates/xserver-sandbox.j2
+5 -3

No files found.
--- a/playbooks/roles/xserver/tasks/main.yml
+++ b/playbooks/roles/xserver/tasks/main.yml
@@ -57,8 +57,8 @@

 - name: Load python-sandbox apparmor profile
  template:
-    src: "usr.bin.python-sandbox.j2"
-    dest: "/etc/apparmor.d/edx_apparmor_sandbox"
+    src: "xserver-sandbox.j2"
+    dest: "/etc/apparmor.d/xserver-sandbox"

 - include: deploy.yml
  tags:

--- a/playbooks/roles/xserver/templates/usr.bin.python-sandbox.j2
+++ b/playbooks/roles/xserver/templates/usr.bin.python-sandbox.j2
 #include <tunables/global>

-/usr/bin/python-sandbox {
+{{ xserver_venv_sandbox_dir }}/bin/python {
  #include <abstractions/base>
-
-  /usr/bin/python-sandbox mr,
+ {{ xserver_venv_sandbox_dir }}/bin/python  mr,
+ {{ xserver_venv_sandbox_dir }}/** r,
+ {{ xserver_code_dir }}/sandbox/** r,
+  /tmp/grader-* wrix,
  /usr/include/python2.7/** r,
  /usr/local/lib/python2.7/** r,
  /usr/lib/python2.7** rix,