SEC-198: Automatically resolve symlinks to executables for apparmor template

When apparmor is pointed at a symlink, it doesn't guard execution of the
target of that symlink. But when apparmor is pointed to an executable
that has symlinks, execution of those symlinks IS guarded. Therefore, we
dereference symlinks to executables before putting them in the apparmor
template.

playbooks/roles/xqwatcher/tasks/code_jail.yml

@@ -12,16 +12,39 @@
     - install
     - install:base
 
+# Do this first so symlinks can be resolved in the next step
+- name: Create jail virtualenv
+  shell: "/usr/local/bin/virtualenv --python={{ item.PYTHON_EXECUTABLE }} --no-site-packages {{ xqwatcher_app_dir }}/venvs/{{ item.QUEUE_CONFIG.HANDLERS[0].CODEJAIL.name }}"
+  with_items: "{{ XQWATCHER_COURSES }}"
+  tags:
+    - install
+    - install:code
+
 #
 # Need to disable apparmor to update the virutalenv
+
+# When Apparmor is pointed at a symlink and an application uses the symlink
+# target, Apparmor does not guard that execution.
+# But when Apparmor is pointed at a real executable and an application uses a
+# symlink to that executable, Apparmor DOES guard that execution.
+- name: Resolve potential symlinks
+  shell: readlink -vf {{ item.QUEUE_CONFIG.HANDLERS[0].CODEJAIL.bin_path }}
+  with_items: "{{ XQWATCHER_COURSES }}"
+  register: xqwatcher_python_real_executables
+  tags:
+    - install
+    - install:configuration
+
 - name: Write out apparmor config
   template:
     src: "etc/apparmor.d/code.jail.j2"
-    dest: "/etc/apparmor.d/code.jail.{{ item.QUEUE_CONFIG.HANDLERS[0].CODEJAIL.name }}"
+    dest: "/etc/apparmor.d/code.jail.{{ item.0.QUEUE_CONFIG.HANDLERS[0].CODEJAIL.name }}"
     owner: root
     group: root
     mode: "0644"
-  with_items: "{{ XQWATCHER_COURSES }}"
+  with_together:
+    - "{{ XQWATCHER_COURSES }}"
+    - "{{ xqwatcher_python_real_executables.results }}"
   tags:
     - install
     - install:configuration
@@ -47,13 +70,6 @@
     - manage
     - manage:sandbox
 
-- name: Create jail virtualenv
-  shell: "/usr/local/bin/virtualenv --python={{ item.PYTHON_EXECUTABLE }} --no-site-packages {{ xqwatcher_app_dir }}/venvs/{{ item.QUEUE_CONFIG.HANDLERS[0].CODEJAIL.name }}"
-  with_items: "{{ XQWATCHER_COURSES }}"
-  tags:
-    - install
-    - install:code
-
 - name: Write out requirements.txt
   template:
     src: "edx/app/xqwatcher/data/requirements.txt.j2"

playbooks/roles/xqwatcher/tasks/main.yml

@@ -61,7 +61,7 @@
 #         - HANDLER: "xqueue_watcher.jailedgrader.JailedGrader"
 #           CODEJAIL:
 #             name: "exampleX-101x"
-#             bin_path: "{{ xqwatcher_venv_base }}/exampleX-101x/bin/python2"
+#             bin_path: "{{ xqwatcher_venv_base }}/exampleX-101x/bin/python"
 #             user: "exampleX-101x"
 #             lang: python2
 #           KWARGS:
@@ -80,7 +80,7 @@
 #         - HANDLER: "xqueue_watcher.jailedgrader.JailedGrader"
 #           CODEJAIL:
 #             name: "exampleX-202x"
-#             bin_path: "{{ xqwatcher_venv_base }}/exampleX-202x/bin/python3"
+#             bin_path: "{{ xqwatcher_venv_base }}/exampleX-202x/bin/python"
 #             user: "exampleX-202x"
 #             lang: python3
 #           KWARGS:

playbooks/roles/xqwatcher/templates/etc/apparmor.d/code.jail.j2

 #include <tunables/global>
 
-{{ item.QUEUE_CONFIG.HANDLERS[0].CODEJAIL.bin_path }} {
+{{ item.1.stdout }} {
     #include <abstractions/base>
 
-    {{ xqwatcher_app_dir }}/venvs/{{ item.QUEUE_CONFIG.HANDLERS[0].CODEJAIL.name }}/** mr,
+    {{ xqwatcher_app_dir }}/venvs/{{ item.0.QUEUE_CONFIG.HANDLERS[0].CODEJAIL.name }}/** mr,
     #todo need a way of providing.
     # edxapp_code_dir /common/lib/sandbox-packages/** r,
     /tmp/codejail-*/ rix,