diff --git a/awx/main/tasks.py b/awx/main/tasks.py index e6cc61b7dd76..c88e9a4fff2b 100644 --- a/awx/main/tasks.py +++ b/awx/main/tasks.py @@ -893,10 +893,19 @@ def build_private_data_dir(self, instance): ''' Create a temporary directory for job-related files. ''' - path = tempfile.mkdtemp(prefix='awx_%s_' % instance.pk, dir=settings.AWX_PROOT_BASE_PATH) - os.chmod(path, stat.S_IRUSR | stat.S_IWUSR | stat.S_IXUSR) + bwrap_path = tempfile.mkdtemp( + prefix=f'bwrap_{instance.pk}_', + dir=settings.AWX_PROOT_BASE_PATH + ) + os.chmod(bwrap_path, stat.S_IRUSR | stat.S_IWUSR | stat.S_IXUSR) if settings.AWX_CLEANUP_PATHS: - self.cleanup_paths.append(path) + self.cleanup_paths.append(bwrap_path) + + path = tempfile.mkdtemp( + prefix='awx_%s_' % instance.pk, + dir=bwrap_path, + ) + os.chmod(path, stat.S_IRUSR | stat.S_IWUSR | stat.S_IXUSR) runner_project_folder = os.path.join(path, 'project') if not os.path.exists(runner_project_folder): # Ansible Runner requires that this directory exists. @@ -1008,6 +1017,8 @@ def build_params_process_isolation(self, instance, private_data_dir, cwd): '/etc/ssh', '/var/lib/awx', '/var/log', + '/home', + '/var/tmp', settings.PROJECTS_ROOT, settings.JOBOUTPUT_ROOT, ] + getattr(settings, 'AWX_PROOT_HIDE_PATHS', None) or [], diff --git a/awx/main/utils/common.py b/awx/main/utils/common.py index 283a028f3f8e..8b3065e11304 100644 --- a/awx/main/utils/common.py +++ b/awx/main/utils/common.py @@ -863,7 +863,7 @@ def wrap_args_with_proot(args, cwd, **kwargs): new_args = [getattr(settings, 'AWX_PROOT_CMD', 'bwrap'), '--unshare-pid', '--dev-bind', '/', '/', '--proc', '/proc'] hide_paths = [settings.AWX_PROOT_BASE_PATH] if not kwargs.get('isolated'): - hide_paths.extend(['/etc/tower', '/var/lib/awx', '/var/log', '/etc/ssh', + hide_paths.extend(['/etc/tower', '/var/lib/awx', '/var/log', '/etc/ssh', '/var/tmp', '/home', settings.PROJECTS_ROOT, settings.JOBOUTPUT_ROOT]) hide_paths.extend(getattr(settings, 'AWX_PROOT_HIDE_PATHS', None) or []) for path in sorted(set(hide_paths)):