Run confinement security checks more frequently #27
Description
codejail-service currently runs a set of security checks at startup that determine, for the runtime of the application, 1) how the healthcheck endpoint will respond, and 2) whether the code-exec endpoint will accept requests.
Because AppArmor profiles can be changed on the host without restarting the service, we should check more frequently. Any confinement failure should cause the service to enter a failure state until restarted. (A failing check followed by a passing one should still be considered a sign of an insecure service.)
Acceptance criteria:
- Checks run once per minute, possibly triggered by healthcheck call
- Additional coverage in checks, based on selected items from
api_tests/- feat: Expand safety checks and make them more robust #28 adds a network check, which should sufficiently complete our coverage