Commit 830e9acb by Jason Bau

Rework code sandbox stuff to be more like master version

parent aef730a0
......@@ -106,14 +106,12 @@ EDXAPP_ENV_EXTRA: {}
EDXAPP_AUTH_EXTRA: {}
EDXAPP_MKTG_URL_LINK_MAP: {}
# whether to setup the python sandbox or not
# whether to setup the python codejail or not
EDXAPP_PYTHON_SANDBOX: false
EDXAPP_SANDBOX_VENV_DIR: '{{ edxapp_venvs_dir }}/edxapp-sandbox'
EDXAPP_SANDBOX_USER: 'sandbox'
EDXAPP_SANDBOX_GROUP: 'sandbox'
# this next setting, if true, turns on actual sandbox enforcement. If not true,
# it puts the sandbox in 'complain' mode, for reporting but not enforcement
EDXAPP_SANDBOX_ENFORCE: true
EDXAPP_USER: 'www-data'
COMMON_WEB_GROUP: 'www-data'
......@@ -163,6 +161,13 @@ edxapp_workers:
service_variant: lms
concurrency: 2
# setup for python codejail
edxapp_sandbox_venv_dir: '{{ edxapp_venvs_dir }}/edxapp-sandbox'
edxapp_sandbox_user: 'sandbox' # I think something about the codejail requires hardcoding this to sandbox:sandbox
# apparmor command
edxapp_aa_command: "{% if EDXAPP_SANDBOX_ENFORCE %}aa-enforce{% else %}aa-complain{% endif %}"
# Requirement files we explicitely
# check for changes before attempting
# to update the venv
......@@ -355,6 +360,14 @@ lms_auth_config:
lms_env_config:
<<: *edxapp_generic_env
'CODE_JAIL':
# from https://github.com/edx/codejail/blob/master/codejail/django_integration.py#L24, '' should be same as None
'python_bin': '{% if EDXAPP_PYTHON_SANDBOX %}{{ edxapp_sandbox_venv_dir }}/bin/python{% endif %}'
'limits':
'VMEM': 0
'REALTIME': 5
'user': '{{ edxapp_sandbox_user }}'
cms_auth_config:
<<: *edxapp_generic_auth
cms_env_config:
......@@ -371,8 +384,6 @@ lms_preview_env_config:
# install dir for the edx-platform repo
edxapp_code_dir: "{{ edxapp_app_dir }}/edx-platform"
# sandbox command
edxapp_aa_command: "{% if EDXAPP_SANDBOX_ENFORCE %}aa-enforce{% else %}aa-complain{% endif %}"
# gunicorn ports/hosts, these shouldn't need to be overridden
edxapp_cms_gunicorn_port: 8010
......@@ -429,9 +440,6 @@ sandbox_base_requirements: "{{ edxapp_code_dir }}/requirements/edx-sandbox/base
sandbox_local_requirements: "{{ edxapp_code_dir }}/requirements/edx-sandbox/local.txt"
sandbox_post_requirements: "{{ edxapp_code_dir }}/requirements/edx-sandbox/post.txt"
#do we want to install the sandbox requirements into the regular virtual env
install_sandbox_reqs_into_regular_venv: true
edxapp_debian_pkgs:
- npm
# for compiling the virtualenv
......
......@@ -161,7 +161,9 @@
# Need to use shell rather than pip so that we can maintain the context of our current working directory; some
# requirements are pathed relative to the edx-platform repo. Using the pip from inside the virtual environment implicitly
# installs everything into that virtual environment.
shell: cd {{ edxapp_code_dir }} && {{ edxapp_venv_dir }}/bin/pip install -i {{ edxapp_pypi_local_mirror }} --exists-action w --use-mirrors -r {{ item }}
shell: >
{{ edxapp_venv_dir }}/bin/pip install -i {{ edxapp_pypi_local_mirror }} --exists-action w --use-mirrors -r {{ item }}
chdir={{ edxapp_code_dir }}
with_items:
- "{{ repo_requirements_file }}"
- "{{ github_requirements_file }}"
......@@ -178,7 +180,9 @@
# Need to use shell rather than pip so that we can maintain the context of our current working directory; some
# requirements are pathed relative to the edx-platform repo. Using the pip from inside the virtual environment implicitly
# installs everything into that virtual environment.
shell: cd {{ edxapp_code_dir }} && {{ edxapp_venv_dir }}/bin/pip install -i {{ edxapp_pypi_local_mirror }} --exists-action w --use-mirrors -r {{ item }}
shell: >
{{ edxapp_venv_dir }}/bin/pip install -i {{ edxapp_pypi_local_mirror }} --exists-action w --use-mirrors -r {{ item }}
chdir={{ edxapp_code_dir }}
with_items:
- "{{ sandbox_base_requirements }}"
- "{{ sandbox_local_requirements }}"
......@@ -191,43 +195,51 @@
- "edxapp | restart edxapp_workers"
tags: deploy
# The next few tasks set up the python code sandbox
# need to disable this profile, otherwise the pip inside the sandbox venv has no permissions
# to install anything
- name: disable apparmor profile for code sandbox
shell: "{{ item }}"
with_items:
- "ln -s /etc/apparmor.d/code.sandbox /etc/apparmor.d/disable/"
- "apparmor_parser -R /etc/apparmor.d/code.sandbox"
- name: edxapp | code sandbox | put sandbox apparmor profile in complain mode
command: /usr/sbin/aa-complain /etc/apparmor.d/code.sandbox
when: EDXAPP_PYTHON_SANDBOX
tags:
- deploy
- edxapp-sandbox
- name: Install sandbox requirements into sandbox venv
shell: >
cd {{ edxapp_code_dir }} &&
{{ EDXAPP_SANDBOX_VENV_DIR }}/bin/pip install -i {{ edxapp_pypi_local_mirror }} --exists-action w --use-mirrors
-r {{ item }}
with_items:
- "{{ sandbox_base_requirements }}"
- "{{ sandbox_local_requirements }}"
- "{{ sandbox_post_requirements }}"
- name: edxapp | code sandbox | Install base sandbox requirements and create sandbox virtualenv
pip: >
requirements="{{sandbox_base_requirements}}"
virtualenv="{{edxapp_sandbox_venv_dir}}"
state=present
extra_args="-i {{ edxapp_pypi_local_mirror }} --exists-action w --use-mirrors"
sudo_user: "{{ edxapp_sandbox_user }}"
when: EDXAPP_PYTHON_SANDBOX
notify:
- "edxapp | restart edxapp"
- "edxapp | restart edxapp_workers"
tags:
- deploy
- edxapp-sandbox
- name: re-enable apparmor profile for code sandbox
shell: "{{ item }}"
- name: edxapp | code sandbox | Install sandbox requirements into sandbox venv
shell: >
{{ edxapp_sandbox_venv_dir }}/bin/pip install -i {{ edxapp_pypi_local_mirror }} --exists-action w --use-mirrors -r {{ item }}
chdir={{ edxapp_code_dir }}
with_items:
- "unlink /etc/apparmor.d/disable/code.sandbox"
- "apparmor_parser -r /etc/apparmor.d/code.sandbox"
- "{{ sandbox_local_requirements }}"
- "{{ sandbox_post_requirements }}"
sudo_user: "{{ edxapp_sandbox_user }}"
when: EDXAPP_PYTHON_SANDBOX
register: sandbox_install_output
changed_when: "'installed' in sandbox_install_output"
notify:
- "edxapp | restart edxapp"
- "edxapp | restart edxapp_workers"
tags:
- deploy
- edxapp-sandbox
- name: put code sandbox into aa-enforce or aa-complain mode, depending on EDXAPP_SANDBOX_ENFORCE
- name: edxapp | code sandbox | put code sandbox into aa-enforce or aa-complain mode, depending on EDXAPP_SANDBOX_ENFORCE
command: /usr/sbin/{{ edxapp_aa_command }} /etc/apparmor.d/code.sandbox
when: EDXAPP_PYTHON_SANDBOX
tags:
......
......@@ -77,72 +77,9 @@
owner={{ edxapp_user }} group={{ common_web_user }}
mode=0644
- name: Create edxapp sandbox group
group: name={{ EDXAPP_SANDBOX_GROUP }}
# Set up the python sandbox execution environment
- include: python_sandbox_env.yml
when: EDXAPP_PYTHON_SANDBOX
tags:
- edxapp-sandbox
- name: Create edxapp sandbox user
user: name={{ EDXAPP_SANDBOX_USER }} group={{ EDXAPP_SANDBOX_GROUP }} shell=/bin/false home={{ EDXAPP_SANDBOX_VENV_DIR }}
when: EDXAPP_PYTHON_SANDBOX
tags:
- edxapp-sandbox
- name: Create edxapp sandbox virtual env directory
file: >
path="{{ EDXAPP_SANDBOX_VENV_DIR }}"
state=directory
owner=root
group=root
mode=0755
when: EDXAPP_PYTHON_SANDBOX
tags:
- edxapp-sandbox
- name: Create edxapp sandbox virtualenv
command: /usr/local/bin/virtualenv {{ EDXAPP_SANDBOX_VENV_DIR }} --distribute creates={{ EDXAPP_SANDBOX_VENV_DIR }}/bin/activate
when: EDXAPP_PYTHON_SANDBOX
tags:
- edxapp-sandbox
- name: Install apparmor system pkg
apt: pkg=apparmor-utils state=present
when: EDXAPP_PYTHON_SANDBOX
tags:
edxapp-sandbox
- name: write out apparmor code sandbox config
template: src=code.sandbox.j2 dest=/etc/apparmor.d/code.sandbox mode=0644 owner=root group=root
when: EDXAPP_PYTHON_SANDBOX
tags:
- edxapp-sandbox
- name: write out sandbox user sudoers config
template: src=95-sandbox-sudoer.j2 dest=/etc/sudoers.d/95-{{ EDXAPP_SANDBOX_USER }} mode=0440 owner=root group=root
when: EDXAPP_PYTHON_SANDBOX
tags:
- edxapp-sandbox
# we boostrap and enable the apparmor service here. in deploy.yml we disable, deploy, then re-enable
# so we need to enable it in main.yml
- name: start apparmor service
service: name=apparmor state=started
when: EDXAPP_PYTHON_SANDBOX
tags:
- edxapp-sandbox
- name: (bootstrap) load code sandbox profile
command: apparmor_parser -r /etc/apparmor.d/code.sandbox
when: EDXAPP_PYTHON_SANDBOX
tags:
- edxapp-sandbox
- name: (bootstrap) put code sandbox into aa-enforce or aa-complain mode depending on EDXAPP_SANDBOX_ENFORCE
command: /usr/sbin/{{ edxapp_aa_command }} /etc/apparmor.d/code.sandbox
when: EDXAPP_PYTHON_SANDBOX
tags:
- edxapp-sandbox
- include: deploy.yml
......
- name: edxapp | code sandbox | Create edxapp sandbox user
user: name={{ edxapp_sandbox_user }} shell=/bin/false home={{ edxapp_sandbox_venv_dir }}
notify:
- "edxapp | restart edxapp"
- "edxapp | restart edxapp_workers"
tags:
- edxapp-sandbox
- name: edxapp | code sandbox | Install apparmor utils system pkg
apt: pkg=apparmor-utils state=present
notify:
- "edxapp | restart edxapp"
- "edxapp | restart edxapp_workers"
tags:
- edxapp-sandbox
- name: edxapp | code sandbox | write out apparmor code sandbox config
template: src=code.sandbox.j2 dest=/etc/apparmor.d/code.sandbox mode=0644 owner=root group=root
notify:
- "edxapp | restart edxapp"
- "edxapp | restart edxapp_workers"
tags:
- edxapp-sandbox
- name: edxapp | code sandbox | write out sandbox user sudoers config
template: src=95-sandbox-sudoer.j2 dest=/etc/sudoers.d/95-{{ edxapp_sandbox_user }} mode=0440 owner=root group=root validate='visudo -c -f %s'
notify:
- "edxapp | restart edxapp"
- "edxapp | restart edxapp_workers"
tags:
- edxapp-sandbox
# we boostrap and enable the apparmor service here. in deploy.yml we disable, deploy, then re-enable
# so we need to enable it in main.yml
- name: edxapp | code sandbox | start apparmor service
service: name=apparmor state=started
notify:
- "edxapp | restart edxapp"
- "edxapp | restart edxapp_workers"
tags:
- edxapp-sandbox
- name: edxapp | code sandbox | (bootstrap) load code sandbox profile
command: apparmor_parser -r /etc/apparmor.d/code.sandbox
notify:
- "edxapp | restart edxapp"
- "edxapp | restart edxapp_workers"
tags:
- edxapp-sandbox
- name: edxapp | code sandbox | (bootstrap) put code sandbox into aa-enforce or aa-complain mode depending on EDXAPP_SANDBOX_ENFORCE
command: /usr/sbin/{{ edxapp_aa_command }} /etc/apparmor.d/code.sandbox
notify:
- "edxapp | restart edxapp"
- "edxapp | restart edxapp_workers"
tags:
- edxapp-sandbox
{{ EDXAPP_USER }} ALL=({{ EDXAPP_SANDBOX_USER }}) SETENV:NOPASSWD:{{ EDXAPP_SANDBOX_VENV_DIR }}/bin/python
{{ EDXAPP_USER }} ALL=(ALL) NOPASSWD:/bin/kill
{{ EDXAPP_USER }} ALL=(ALL) NOPASSWD:/usr/bin/pkill
{{ edxapp_user }} ALL=({{ edxapp_sandbox_user }}) SETENV:NOPASSWD:{{ EDXAPP_SANDBOX_VENV_DIR }}/bin/python
{{ edxapp_user }} ALL=(ALL) NOPASSWD:/bin/kill
{{ edxapp_user }} ALL=(ALL) NOPASSWD:/usr/bin/pkill
#include <tunables/global>
{{ EDXAPP_SANDBOX_VENV_DIR }}/bin/python flags=(complain) {
{{ edxapp_sandbox_venv_dir }}/bin/python flags=(complain) {
#include <abstractions/base>
{{ EDXAPP_SANDBOX_VENV_DIR }}/** mr,
{{ edxapp_sandbox_venv_dir }}/** mr,
{{ edxapp_code_dir }}/common/lib/sandbox-packages/** r,
/tmp/codejail-*/ rix,
/tmp/codejail-*/** rix,
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment