Merge pull request #3404 from edx/e0d/fix-apparmor

Using bin_path in the apparmor template

Merge pull request #3404 from edx/e0d/fix-apparmor
Using bin_path in the apparmor template
694e444a · Max Rothman · GitHub · e6749580 · 94776073 · 694e444a
Commit 694e444a authored Oct 05, 2016 by Max Rothman Committed by GitHub Oct 05, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 30 additions and 12 deletions

playbooks/roles/xqwatcher/tasks/code_jail.yml
+25 -9

playbooks/roles/xqwatcher/tasks/main.yml
+3 -1

playbooks/roles/xqwatcher/templates/etc/apparmor.d/code.jail.j2
+2 -2

No files found.
--- a/playbooks/roles/xqwatcher/tasks/code_jail.yml
+++ b/playbooks/roles/xqwatcher/tasks/code_jail.yml
@@ -12,16 +12,39 @@
    - install
    - install:base

+# Do this first so symlinks can be resolved in the next step
+- name: Create jail virtualenv
+  shell: "/usr/local/bin/virtualenv --python={{ item.PYTHON_EXECUTABLE }} --no-site-packages {{ xqwatcher_app_dir }}/venvs/{{ item.QUEUE_CONFIG.HANDLERS[0].CODEJAIL.name }}"
+  with_items: "{{ XQWATCHER_COURSES }}"
+  tags:
+    - install
+    - install:code
+
 #
 # Need to disable apparmor to update the virutalenv
+
+# When Apparmor is pointed at a symlink and an application uses the symlink
+# target, Apparmor does not guard that execution.
+# But when Apparmor is pointed at a real executable and an application uses a
+# symlink to that executable, Apparmor DOES guard that execution.
+- name: Resolve potential symlinks
+  shell: readlink -vf {{ item.QUEUE_CONFIG.HANDLERS[0].CODEJAIL.bin_path }}
+  with_items: "{{ XQWATCHER_COURSES }}"
+  register: xqwatcher_python_real_executables
+  tags:
+    - install
+    - install:configuration
+
 - name: Write out apparmor config
  template:
    src: "etc/apparmor.d/code.jail.j2"
-    dest: "/etc/apparmor.d/code.jail.{{ item.QUEUE_CONFIG.HANDLERS[0].CODEJAIL.name }}"
+    dest: "/etc/apparmor.d/code.jail.{{ item.0.QUEUE_CONFIG.HANDLERS[0].CODEJAIL.name }}"
    owner: root
    group: root
    mode: "0644"
-  with_items: "{{ XQWATCHER_COURSES }}"
+  with_together:
+    - "{{ XQWATCHER_COURSES }}"
+    - "{{ xqwatcher_python_real_executables.results }}"
  tags:
    - install
    - install:configuration
@@ -47,13 +70,6 @@
    - manage
    - manage:sandbox

- name: Create jail virtualenv
-  shell: "/usr/local/bin/virtualenv --python={{ item.PYTHON_EXECUTABLE }} --no-site-packages {{ xqwatcher_app_dir }}/venvs/{{ item.QUEUE_CONFIG.HANDLERS[0].CODEJAIL.name }}"
-  with_items: "{{ XQWATCHER_COURSES }}"
-  tags:
-    - install
-    - install:code
-
 - name: Write out requirements.txt
  template:
    src: "edx/app/xqwatcher/data/requirements.txt.j2"

--- a/playbooks/roles/xqwatcher/tasks/main.yml
+++ b/playbooks/roles/xqwatcher/tasks/main.yml
@@ -44,6 +44,8 @@
 # meta data and details related to the repository including the
 # grader code.
 #
+# NOTA BENE: Apparmor does not follow symlinks
+#
 # XQWATCHER_COURSES:
 #   - COURSE: "exampleX-101x"
 #     GIT_REPO: "git@github.com:foo/graders-exampleX-101x.git"
@@ -80,7 +82,7 @@
 #             name: "exampleX-202x"
 #             bin_path: "{{ xqwatcher_venv_base }}/exampleX-202x/bin/python"
 #             user: "exampleX-202x"
-#             lang: python2
+#             lang: python3
 #           KWARGS:
 #             grader_root: "../data/exampleX-202x/graders/"


--- a/playbooks/roles/xqwatcher/templates/etc/apparmor.d/code.jail.j2
+++ b/playbooks/roles/xqwatcher/templates/etc/apparmor.d/code.jail.j2
 #include <tunables/global>

-{{ xqwatcher_app_dir }}/venvs/{{ item.QUEUE_CONFIG.HANDLERS[0].CODEJAIL.name }}/bin/python {
+{{ item.1.stdout }} {
    #include <abstractions/base>

-    {{ xqwatcher_app_dir }}/venvs/{{ item.QUEUE_CONFIG.HANDLERS[0].CODEJAIL.name }}/** mr,
+    {{ xqwatcher_app_dir }}/venvs/{{ item.0.QUEUE_CONFIG.HANDLERS[0].CODEJAIL.name }}/** mr,
    #todo need a way of providing.
    # edxapp_code_dir /common/lib/sandbox-packages/** r,
    /tmp/codejail-*/ rix,