jailed tasks can not share files

* Permission changes in bubblewrap shared directories persist when the jailed tasks finish execution. Effectively, this allows playbooks executing as awx to share files with lower privileged users on the system. * To prevent this, we wrap the directory that we intend to share with bubblewrap in another directory that is owned by awx with permissions 700. The wrapped directory permissions can be changed by the jailed task while the wrapper directory can not. * Given `/tmp/bwrap_3_abcd/awx_3_1234/` `bwrap_3_abcd` is the wrapper directory and `awx_3_1234` is the wrapped directory.
ansible · Mar 10, 2021 · de4d73d · de4d73d
1 parent 3358e56
commit de4d73d
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 4 deletions.
diff --git a/awx/main/tasks.py b/awx/main/tasks.py
@@ -893,10 +893,19 @@ def build_private_data_dir(self, instance):
         '''
         Create a temporary directory for job-related files.
         '''
-        path = tempfile.mkdtemp(prefix='awx_%s_' % instance.pk, dir=settings.AWX_PROOT_BASE_PATH)
-        os.chmod(path, stat.S_IRUSR | stat.S_IWUSR | stat.S_IXUSR)
+        bwrap_path = tempfile.mkdtemp(
+            prefix=f'bwrap_{instance.pk}_',
+            dir=settings.AWX_PROOT_BASE_PATH
+        )
+        os.chmod(bwrap_path, stat.S_IRUSR | stat.S_IWUSR | stat.S_IXUSR)
         if settings.AWX_CLEANUP_PATHS:
-            self.cleanup_paths.append(path)
+            self.cleanup_paths.append(bwrap_path)
+
+        path = tempfile.mkdtemp(
+            prefix='awx_%s_' % instance.pk,
+            dir=bwrap_path,
+        )
+        os.chmod(path, stat.S_IRUSR | stat.S_IWUSR | stat.S_IXUSR)
         runner_project_folder = os.path.join(path, 'project')
         if not os.path.exists(runner_project_folder):
             # Ansible Runner requires that this directory exists.
@@ -1008,6 +1017,8 @@ def build_params_process_isolation(self, instance, private_data_dir, cwd):
                     '/etc/ssh',
                     '/var/lib/awx',
                     '/var/log',
+                    '/home',
+                    '/var/tmp',
                     settings.PROJECTS_ROOT,
                     settings.JOBOUTPUT_ROOT,
                 ] + getattr(settings, 'AWX_PROOT_HIDE_PATHS', None) or [],

diff --git a/awx/main/utils/common.py b/awx/main/utils/common.py
@@ -863,7 +863,7 @@ def wrap_args_with_proot(args, cwd, **kwargs):
     new_args = [getattr(settings, 'AWX_PROOT_CMD', 'bwrap'), '--unshare-pid', '--dev-bind', '/', '/', '--proc', '/proc']
     hide_paths = [settings.AWX_PROOT_BASE_PATH]
     if not kwargs.get('isolated'):
-        hide_paths.extend(['/etc/tower', '/var/lib/awx', '/var/log', '/etc/ssh',
+        hide_paths.extend(['/etc/tower', '/var/lib/awx', '/var/log', '/etc/ssh', '/var/tmp', '/home',
                            settings.PROJECTS_ROOT, settings.JOBOUTPUT_ROOT])
     hide_paths.extend(getattr(settings, 'AWX_PROOT_HIDE_PATHS', None) or [])
     for path in sorted(set(hide_paths)):