From a9c9ecb5ea76de51d4fe8519e54b1e834963e6fd Mon Sep 17 00:00:00 2001 From: Ryan Petrello Date: Wed, 6 Sep 2017 14:12:47 -0700 Subject: [PATCH] bind ansible and awx virtualenvs readonly so that jobs can't modify them see: https://github.com/ansible/ansible-tower/issues/7558 --- awx/main/tests/unit/test_tasks.py | 9 +++++++++ awx/main/utils/common.py | 6 +++++- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/awx/main/tests/unit/test_tasks.py b/awx/main/tests/unit/test_tasks.py index d262e4b1ac..6038440357 100644 --- a/awx/main/tests/unit/test_tasks.py +++ b/awx/main/tests/unit/test_tasks.py @@ -281,6 +281,15 @@ class TestGenericRun(TestJobExecution): args, cwd, env, stdout = call_args assert args[0] == 'bwrap' + def test_bwrap_virtualenvs_are_readonly(self): + self.task.run(self.pk) + + assert self.run_pexpect.call_count == 1 + call_args, _ = self.run_pexpect.call_args_list[0] + args, cwd, env, stdout = call_args + assert '--ro-bind %s %s' % (settings.ANSIBLE_VENV_PATH, settings.ANSIBLE_VENV_PATH) in ' '.join(args) # noqa + assert '--ro-bind %s %s' % (settings.AWX_VENV_PATH, settings.AWX_VENV_PATH) in ' '.join(args) # noqa + def test_awx_task_env(self): patch = mock.patch('awx.main.tasks.settings.AWX_TASK_ENV', {'FOO': 'BAR'}) patch.start() diff --git a/awx/main/utils/common.py b/awx/main/utils/common.py index 11869e846b..c8c382472a 100644 --- a/awx/main/utils/common.py +++ b/awx/main/utils/common.py @@ -699,7 +699,11 @@ def wrap_args_with_proot(args, cwd, **kwargs): show_paths = [cwd, kwargs['private_data_dir']] else: show_paths = [cwd] - show_paths.extend([settings.ANSIBLE_VENV_PATH, settings.AWX_VENV_PATH]) + for venv in ( + settings.ANSIBLE_VENV_PATH, + settings.AWX_VENV_PATH + ): + new_args.extend(['--ro-bind', venv, venv]) show_paths.extend(getattr(settings, 'AWX_PROOT_SHOW_PATHS', None) or []) show_paths.extend(kwargs.get('proot_show_paths', [])) for path in sorted(set(show_paths)):