Skip to content

Commit a77c26c

Browse files
timmc-edxtimmc-edx
committed
fixup! Rename child profile to codejail_sandbox
Just a better (more descriptive) name, and has parallels to codejail_service profile name.
1 parent f0e80ee commit a77c26c

File tree

1 file changed

+7
-7
lines changed

1 file changed

+7
-7
lines changed

codejail.profile

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -30,9 +30,9 @@ include <tunables/global>
3030
abi <abi/3.0>,
3131

3232
# This outer profile applies to the entire container, and isn't as
33-
# important. If the sandbox profile doesn't work, it's not likely that
33+
# important. If the inner profile doesn't work, it's not likely that
3434
# the outer one is going to help. But there may be some small value in
35-
# defense-in-depth, as it's possible that a bug in the child (sandbox)
35+
# defense-in-depth, as it's possible that a bug in the codejail_sandbox (inner)
3636
# profile isn't present in the outer one.
3737
profile codejail_service flags=(mediate_deleted) {
3838

@@ -58,17 +58,17 @@ profile codejail_service flags=(mediate_deleted) {
5858
# Allow sending a kill signal
5959
capability kill,
6060

61-
# Allow sending a kill signal to the child subprofile when the execution
61+
# Allow sending a kill signal to the codejail_sandbox subprofile when the execution
6262
# runs beyond time limits.
63-
signal (send) set=(kill) peer=codejail_service//child,
63+
signal (send) set=(kill) peer=codejail_service//codejail_sandbox,
6464

6565
# The core of the confinement: When the sandbox Python is executed, switch to
66-
# the (extremely constrained) child profile.
66+
# the (extremely constrained) codejail_sandbox profile.
6767
#
6868
# This path needs to be coordinated with the Dockerfile and Django settings.
6969
#
7070
# Manpage: "Cx: transition to subprofile on execute -- scrub the environment"
71-
/sandbox/venv/bin/python Cx -> child,
71+
/sandbox/venv/bin/python Cx -> codejail_sandbox,
7272

7373
# This is the important apparmor profile -- the one that actually
7474
# constrains the sandbox Python process.
@@ -77,7 +77,7 @@ profile codejail_service flags=(mediate_deleted) {
7777
# apparmor will continue to make policy decisions in cases where a confined
7878
# executable has a handle to a file's inode even after the file is removed
7979
# from the filesystem.
80-
profile child flags=(mediate_deleted) {
80+
profile codejail_sandbox flags=(mediate_deleted) {
8181

8282
# This inner profile also gets general access to "safe"
8383
# actions; we could list those explicitly out of caution but

0 commit comments

Comments
 (0)