Create a virtualenv for the python sandbox.

playbooks/roles/xserver/tasks/main.yml

@@ -7,11 +7,14 @@
 - name: ensure sandbox user exists
   user: name=sandbox group=sandbox
 
+- name: create sandbox python directory
+  file: path={{ sandbox_venv_dir }} owner=ubuntu group=adm moe=2775 state=directory
+
 - name: create sandbox python
-  shell: cp /usr/bin/python2.7 /usr/bin/python-sandbox
+  command: /usr/local/bin/virtualenv {{ sandbox_venv_dir }} --distribute creates={{ sandbox_venv_dir }}/bin/activate
 
 - name: set sandbox sudoers settings
-  copy: src=01-sandbox dest=/etc/sudoers.d/01-sandbox
+  copy: src=sandbox.sudoers dest=/etc/sudoers.d/99-sandbox
 
 # Make sure this line is in the common-session file.
 - name: ensure pam-limits module is loaded
@@ -30,7 +33,7 @@
   copy: src=usr.bin.python-sandbox dest=/etc/apparmor.d/usr.bin.python-sandbox
 
 - name: enforce app-armor rules
-  shell: aa-enforce /usr/bin/python-sandbox
+  command: aa-enforce {{ sandbox_venv_dir }}
 
 - name: setup upstart script
   template: src=xserver.conf.j2 dest=/etc/init/xserver.conf owner=root group=root

playbooks/roles/xserver/vars/main.yml

@@ -5,3 +5,5 @@ xserver_source_repo: git://github.com/edx/xserver.git
 # This should probably be overridden in the playbook or groupvars
 # with the default pointing to the head of master.
 xserver_version: HEAD
+
+sandbox_venv_dir: "{{ venv_dir }}_apparmor_sandbox"