Secure codejail code-exec #927

timmc-edx · 2025-02-03T18:48:16Z

The codejail-service IDA currently runs all code directly, without sandboxing.

Acceptance criteria

Testing procedure is complete: Create codejail functionality and security test script #896 (parallel work)
Devstack deployment runs code-exec securely (or, if manual steps are required, rejects code-exec until those steps are taken)
CODEJAIL_ENABLED is still disabled by default, and is not yet enabled in edge and prod
Stage deployment runs code-exec securely (and other environments, if set up)
- Will require setting CODEJAIL_ENABLED to True temporarily for testing
- Do not enable in stage until testing procedure is complete, passing in devstack, and ready to be tested in stage
If IDA is misconfigured, refuse to answer code-exec calls, and return a 500 on the healthcheck endpoint

Update Dockerfile with sandbox location, sandbox user account, Python 3.8, etc. See https://github.com/openedx/codejail for necessary components.
Add appropriate AppArmor profile in repository
- An outer profile that applies to the container, and an inner profile that confines the sandbox user and binary
- Start from the existing https://github.com/eduNEXT/tutor-contrib-codejail/blob/main/tutorcodejail/templates/codejail/apps/profiles/docker-edx-sandbox but also compare to 2U's apparmor profile
Add security-opt docker config to devstack, with manual steps documented for installing the AppArmor profile (see https://docs.docker.com/engine/security/apparmor/)
Add startup checks to IDA

The text was updated successfully, but these errors were encountered:

timmc-edx added this to Arch-BOM Feb 3, 2025

timmc-edx converted this from a draft issue Feb 3, 2025

timmc-edx removed the status in Arch-BOM Feb 3, 2025

timmc-edx mentioned this issue Feb 3, 2025

Create codejail functionality and security test script #896

Open

5 tasks

timmc-edx moved this to In Progress in Arch-BOM Feb 3, 2025

robrap assigned timmc-edx Feb 3, 2025