initial commit for installing edxapp codejail

playbooks/roles/edxapp/defaults/main.yml

@@ -116,6 +116,13 @@ EDXAPP_GRADE_ROOT_PATH: '/tmp/edx-s3/grades'
 # Configure rake tasks in edx-platform to skip Python/Ruby/Node installation
 EDXAPP_NO_PREREQ_INSTALL: 1
 
+# whether to setup the python codejail or not
+EDXAPP_PYTHON_SANDBOX: false
+# this next setting, if true, turns on actual sandbox enforcement.  If not true,
+# it puts the sandbox in 'complain' mode, for reporting but not enforcement
+EDXAPP_SANDBOX_ENFORCE: true
+
+
 #-------- Everything below this line is internal to the role ------------
 
 #Use YAML references (& and *) and hash merge <<: to factor out shared settings
@@ -163,6 +170,14 @@ edxapp_workers:
     service_variant: lms
     concurrency: 2
 
+# setup for python codejail
+edxapp_sandbox_venv_dir:  '{{ edxapp_venvs_dir }}/edxapp-sandbox'
+edxapp_sandbox_user: 'sandbox'  # I think something about the codejail requires hardcoding this to sandbox:sandbox
+edxapp_sandbox_group: 'sandbox'
+
+# apparmor command
+edxapp_aa_command: "{% if EDXAPP_SANDBOX_ENFORCE %}aa-enforce{% else %}aa-complain{% endif %}"
+
 # Requirement files we explicitely
 # check for changes before attempting
 # to update the venv

playbooks/roles/edxapp/tasks/deploy.yml

@@ -8,6 +8,9 @@
     mode=0644
   tags: deploy
 
+# Set up the python sandbox execution environment
+- include: python_sandbox_env.yml
+
 # Do A Checkout
 - name: edxapp | checkout edx-platform repo into {{edxapp_code_dir}}
   git: dest={{edxapp_code_dir}} repo={{edx_platform_repo}} version={{edx_platform_version}}
@@ -186,7 +189,7 @@
   - "{{ sandbox_base_requirements }}"
   - "{{ sandbox_local_requirements }}"
   - "{{ sandbox_post_requirements }}"
-  when: install_sandbox_reqs_into_regular_venv
+  when: not EDXAPP_PYTHON_SANDBOX
   sudo_user: "{{ edxapp_user }}"
   when: not inst.stat.exists or new.stat.md5 != inst.stat.md5
   notify:
@@ -194,6 +197,63 @@
   - "edxapp | restart edxapp_workers"
   tags: deploy
 
+# The next few tasks set up the python code sandbox
+
+# need to disable this profile, otherwise the pip inside the sandbox venv has no permissions
+# to install anything
+- name: edxapp | code sandbox | disable apparmor profile for code sandbox
+  shell: "{{ item }}"
+  with_items:
+    - "ln -s /etc/apparmor.d/code.sandbox /etc/apparmor.d/disable/"
+    - "apparmor_parser -R /etc/apparmor.d/code.sandbox"
+  when: EDXAPP_PYTHON_SANDBOX
+  notify:
+  - "edxapp | restart edxapp"
+  - "edxapp | restart edxapp_workers"
+  tags:
+  - deploy
+  - edxapp-sandbox
+
+- name: edxapp | code sandbox | Install sandbox requirements into sandbox venv
+  shell: >
+    cd {{ edxapp_code_dir }} &&
+    {{ edxapp_sandbox_venv_dir }}/bin/pip install -i {{ edxapp_pypi_local_mirror }} --exists-action w --use-mirrors
+    -r {{ item }}
+  with_items:
+  - "{{ sandbox_base_requirements }}"
+  - "{{ sandbox_local_requirements }}"
+  - "{{ sandbox_post_requirements }}"
+  when: EDXAPP_PYTHON_SANDBOX
+  notify:
+  - "edxapp | restart edxapp"
+  - "edxapp | restart edxapp_workers"
+  tags:
+  - deploy
+  - edxapp-sandbox
+
+- name: edxapp | code sandbox | re-enable apparmor profile for code sandbox
+  shell: "{{ item }}"
+  with_items:
+    - "unlink /etc/apparmor.d/disable/code.sandbox"
+    - "apparmor_parser -r /etc/apparmor.d/code.sandbox"
+  when: EDXAPP_PYTHON_SANDBOX
+  notify:
+  - "edxapp | restart edxapp"
+  - "edxapp | restart edxapp_workers"
+  tags:
+  - deploy
+  - edxapp-sandbox
+
+- name: edxapp | code sandbox | put code sandbox into aa-enforce or aa-complain mode, depending on EDXAPP_SANDBOX_ENFORCE
+  command: /usr/sbin/{{ edxapp_aa_command }} /etc/apparmor.d/code.sandbox
+  when: EDXAPP_PYTHON_SANDBOX
+  notify:
+  - "edxapp | restart edxapp"
+  - "edxapp | restart edxapp_workers"
+  tags:
+  - deploy
+  - edxapp-sandbox
+
 - name: edxapp | compiling all py files in the edx-platform repo
   shell: "{{ edxapp_venv_bin }}/python -m compileall {{ edxapp_code_dir }}"
   sudo_user: "{{ edxapp_user }}"

playbooks/roles/edxapp/tasks/python_sandbox_env.yml

+- name: edxapp | code sandbox | Create edxapp sandbox group
+  group: name={{ edxapp_sandbox_group }}
+  when: EDXAPP_PYTHON_SANDBOX
+  notify:
+  - "edxapp | restart edxapp"
+  - "edxapp | restart edxapp_workers"
+  tags:
+  - edxapp-sandbox
+  - deploy
+
+- name: edxapp | code sandbox | Create edxapp sandbox user
+  user: name={{ edxapp_sandbox_user }} group={{ edxapp_sandbox_group }} shell=/bin/false home={{ edxapp_sandbox_venv_dir }}
+  when: EDXAPP_PYTHON_SANDBOX
+  notify:
+  - "edxapp | restart edxapp"
+  - "edxapp | restart edxapp_workers"
+  tags:
+  - edxapp-sandbox
+  - deploy
+
+- name: edxapp | code sandbox | Create edxapp sandbox virtual env directory
+  file: >
+    path="{{ edxapp_sandbox_venv_dir }}"
+    state=directory
+    owner=root
+    group=root
+    mode=0755
+  when: EDXAPP_PYTHON_SANDBOX
+  notify:
+  - "edxapp | restart edxapp"
+  - "edxapp | restart edxapp_workers"
+  tags:
+  - edxapp-sandbox
+  - deploy
+
+- name: edxapp | code sandbox | Install apparmor system pkg
+  apt: pkg=apparmor-utils state=present
+  when: EDXAPP_PYTHON_SANDBOX
+  notify:
+  - "edxapp | restart edxapp"
+  - "edxapp | restart edxapp_workers"
+  tags:
+  - edxapp-sandbox
+  - deploy
+
+- name: edxapp | code sandbox | write out apparmor code sandbox config
+  template: src=code.sandbox.j2 dest=/etc/apparmor.d/code.sandbox mode=0644 owner=root group=root
+  when: EDXAPP_PYTHON_SANDBOX
+  notify:
+  - "edxapp | restart edxapp"
+  - "edxapp | restart edxapp_workers"
+  tags:
+  - edxapp-sandbox
+  - deploy
+
+- name: edxapp | code sandbox | write out sandbox user sudoers config
+  template: src=95-sandbox-sudoer.j2 dest=/etc/sudoers.d/95-{{ edxapp_sandbox_user }} mode=0440 owner=root group=root
+  when: EDXAPP_PYTHON_SANDBOX
+  notify:
+  - "edxapp | restart edxapp"
+  - "edxapp | restart edxapp_workers"
+  tags:
+  - edxapp-sandbox
+  - deploy
+
+# we boostrap and enable the apparmor service here.  in deploy.yml we disable, deploy, then re-enable
+# so we need to enable it in main.yml
+- name: edxapp | code sandbox | start apparmor service
+  service: name=apparmor state=started
+  when: EDXAPP_PYTHON_SANDBOX
+  notify:
+  - "edxapp | restart edxapp"
+  - "edxapp | restart edxapp_workers"
+  tags:
+  - edxapp-sandbox
+  - deploy
+
+- name: edxapp | code sandbox | (bootstrap) load code sandbox profile
+  command: apparmor_parser -r /etc/apparmor.d/code.sandbox
+  when: EDXAPP_PYTHON_SANDBOX
+  notify:
+  - "edxapp | restart edxapp"
+  - "edxapp | restart edxapp_workers"
+  tags:
+  - edxapp-sandbox
+  - deploy
+
+- name: edxapp | code sandbox | (bootstrap) put code sandbox into aa-enforce or aa-complain mode depending on EDXAPP_SANDBOX_ENFORCE
+  command: /usr/sbin/{{ edxapp_aa_command }} /etc/apparmor.d/code.sandbox
+  when: EDXAPP_PYTHON_SANDBOX
+  notify:
+  - "edxapp | restart edxapp"
+  - "edxapp | restart edxapp_workers"
+  tags:
+  - edxapp-sandbox
+  - deploy

playbooks/roles/edxapp/templates/95-sandbox-sudoer.j2

+{{ edxapp_user }} ALL=({{ edxapp_sandbox_user }})  SETENV:NOPASSWD:{{ edxapp_sandbox_venv_dir }}/bin/python
+{{ edxapp_user }} ALL=(ALL) NOPASSWD:/bin/kill
+{{ edxapp_user }} ALL=(ALL) NOPASSWD:/usr/bin/pkill

playbooks/roles/edxapp/templates/code.sandbox.j2

+#include <tunables/global>
+
+{{ edxapp_sandbox_venv_dir }}/bin/python flags=(complain) {
+    #include <abstractions/base>
+
+    {{ edxapp_sandbox_venv_dir }}/** mr,
+    {{ edxapp_code_dir }}/common/lib/sandbox-packages/** r,
+    /tmp/codejail-*/ rix,
+    /tmp/codejail-*/** rix,
+
+    #
+    # Whitelist particiclar shared objects from the system
+    # python installation
+    #
+    /usr/lib/python2.7/lib-dynload/_json.so mr,
+    /usr/lib/python2.7/lib-dynload/_ctypes.so mr,
+    /usr/lib/python2.7/lib-dynload/_heapq.so mr,
+    /usr/lib/python2.7/lib-dynload/_io.so mr,
+    /usr/lib/python2.7/lib-dynload/_csv.so mr,
+    /usr/lib/python2.7/lib-dynload/datetime.so mr,
+    /usr/lib/python2.7/lib-dynload/_elementtree.so mr,
+
+    #
+    # Allow access to selections from /proc
+    #
+    /proc/*/mounts r,
+
+}