• Stars
    star
    332
  • Rank 126,957 (Top 3 %)
  • Language
    Python
  • License
    Apache License 2.0
  • Created over 11 years ago
  • Updated about 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Secure code execution

CodeJail

CodeJail manages execution of untrusted code in secure sandboxes. It is designed primarily for Python execution, but can be used for other languages as well.

Security is enforced with AppArmor. If your operating system doesn't support AppArmor, then CodeJail won't protect the execution.

CodeJail is designed to be configurable, and will auto-configure itself for Python execution if you install it properly. The configuration is designed to be flexible: it can run in safe mode or unsafe mode. This helps support large development groups where only some of the developers are involved enough with secure execution to configure AppArmor on their development machines.

If CodeJail is not configured for safe execution, it will execution Python using the same API, but will not guard against malicious code. This allows the same code to be used on safe-configured or non-safe-configured developer's machines.

A CodeJail sandbox consists of several pieces:

  1. Sandbox environment. For a Python setup, this would be Python and associated core packages. This is denoted throughout this document as <SANDENV>. This is read-only.
  2. Sandbox packages. These are additional packages needed for a given run. For example, this might be a grader written by an instructor to run over a student's code, or data that a student's code might need to access. This is denoted throughout this document as <SANDPACK>. This is read-only.
  3. Untrusted packages. This is typically the code submitted by the student to be tested on the server, as well as any data the code may need to modify. This is denoted throughout this document as <UNTRUSTED_PACK>. This is currently read-only, but may need to be read-write for some applications.
  4. OS packages. These are standard system libraries needed to run Python (e.g. things in /lib). This is denoted throughout this document as <OSPACK>. This is read-only, and is specified by Ubuntu's AppArmor profile.

To run, CodeJail requires two user accounts. One account is the main account under which the code runs, which has access to create sandboxes. This will be referred to as <SANDBOX_CALLER>. The second account is the account under which the sandbox runs. This is typically the account 'sandbox.'

Installation

These instructions detail how to configure your operating system so that CodeJail can execute Python code safely. You can run CodeJail without these steps, and you will have an unsafe CodeJail. This is fine for developers' machines who are unconcerned with security, and simplifies the integration of CodeJail into your project.

To secure Python execution, you'll be creating a new virtualenv. This means you'll have two: the main virtualenv for your project, and the new one for sandboxed Python code.

Choose a place for the new virtualenv, call it <SANDENV>. It will be automatically detected and used if you put it right alongside your existing virtualenv, but with -sandbox appended. So if your existing virtualenv is in /home/chris/ve/myproj, make <SANDENV> be /home/chris/ve/myproj-sandbox.

The user running the LMS is <SANDBOX_CALLER>, for example, you on your dev machine, or www-data on a server.

Other details here that depend on your configuration:

  1. Create the new virtualenv:

    $ sudo virtualenv <SANDENV>
    
  2. (Optional) If you have particular packages you want available to your sandboxed code, install them by activating the sandbox virtual env, and using pip to install them:

    $ source <SANDENV>/bin/activate
    $ pip install -r requirements/sandbox.txt
    
  3. Add a sandbox user:

    $ sudo addgroup sandbox
    $ sudo adduser --disabled-login sandbox --ingroup sandbox
    
  4. Let the web server run the sandboxed Python as sandbox. Create the file /etc/sudoers.d/01-sandbox:

    $ sudo visudo -f /etc/sudoers.d/01-sandbox
    
    <SANDBOX_CALLER> ALL=(sandbox) SETENV:NOPASSWD:<SANDENV>/bin/python
    <SANDBOX_CALLER> ALL=(sandbox) SETENV:NOPASSWD:/usr/bin/find
    <SANDBOX_CALLER> ALL=(ALL) NOPASSWD:/usr/bin/pkill
    
  5. Edit an AppArmor profile. This is a text file specifying the limits on the sandboxed Python executable. The file must be in /etc/apparmor.d and must be named based on the executable, with slashes replaced by dots. For example, if your sandboxed Python is at /home/chris/ve/myproj-sandbox/bin/python, then your AppArmor profile must be /etc/apparmor.d/home.chris.ve.myproj-sandbox.bin.python:

    $ sudo vim /etc/apparmor.d/home.chris.ve.myproj-sandbox.bin.python
    
    #include <tunables/global>
    
    <SANDENV>/bin/python {
        #include <abstractions/base>
        #include <abstractions/python>
    
        <SANDENV>/** mr,
        # If you have code that the sandbox must be able to access, add lines
        # pointing to those directories:
        /the/path/to/your/sandbox-packages/** r,
    
        /tmp/codejail-*/ rix,
        /tmp/codejail-*/** wrix,
    }
    
  6. Parse the profiles:

    $ sudo apparmor_parser <APPARMOR_FILE>
    
  7. Reactivate your project's main virtualenv again.

Using CodeJail

If your CodeJail is properly configured to use safe_exec, try these commands at your Python terminal:

import codejail.jail_code
codejail.jail_code.configure('python', '<SANDENV>/bin/python')
import codejail.safe_exec
codejail.safe_exec.safe_exec("import os\nos.system('ls /etc')", {})

This should fail with an exception.

If you need to change the packages installed into your sandbox's virtualenv, you'll need to disable AppArmor, because your sandboxed Python doesn't have the rights to modify the files in its site-packages directory.

  1. Disable AppArmor for your sandbox:

    $ sudo apt-get install apparmor-utils  # if you haven't already
    $ sudo aa-complain /etc/apparmor.d/home.chris.ve.myproj-sandbox.bin.python
    
  2. Install or otherwise change the packages installed:

    $ pip install -r requirements/sandbox.txt
    
  3. Re-enable AppArmor for your sandbox:

    $ sudo aa-enforce /etc/apparmor.d/home.chris.ve.myproj-sandbox.bin.python
    

Tests

In order to target the sandboxed Python environment(s) you have created on your system, you must set the following environment variables for testing:

$ export CODEJAIL_TEST_USER=<owner of sandbox (usually 'sandbox')>
$ export CODEJAIL_TEST_VENV=<SANDENV>

Run the tests with the Makefile:

$ make tests

If CodeJail is running unsafely, many of the tests will be automatically skipped, or will fail, depending on whether CodeJail thinks it should be in safe mode or not.

Design

CodeJail is general-purpose enough that it can be used in a variety of projects to run untrusted code. It provides two layers:

  • jail_code.py offers secure execution of subprocesses. It does this by running the program in a subprocess managed by AppArmor.
  • safe_exec.py offers specialized handling of Python execution, using jail_code to provide the semantics of Python's exec statement.

CodeJail runs programs under AppArmor. AppArmor is an OS-provided feature to limit the resources programs can access. To run Python code with limited access to resources, we make a new virtualenv, then name that Python executable in an AppArmor profile, and restrict resources in that profile. CodeJail will execute the provided Python program with that executable, and AppArmor will automatically limit the resources it can access. CodeJail also uses setrlimit to limit the amount of CPU time and/or memory available to the process.

CodeJail.jail_code takes a program to run, files to copy into its environment, command-line arguments, and a stdin stream. It creates a temporary directory, creates or copies the needed files, spawns a subprocess to run the code, and returns the output and exit status of the process.

CodeJail.safe_exec emulates Python's exec statement. It takes a chunk of Python code, and runs it using jail_code, modifying the globals dictionary as a side-effect. safe_exec does this by serializing the globals into and out of the subprocess as JSON.

More Repositories

1

edx-platform

The Open edX LMS & Studio, powering education sites around the world!
Python
6,640
star
2

configuration

A collection of edx configuration scripts and utilities that edx.org uses to deploy openedx.
Jinja
817
star
3

XBlock

Framework for building custom learning components that run in the Open edX LMS!
Python
445
star
4

devstack

Get up and running quickly to develop or extend Open edX services
Shell
394
star
5

edx-app-android

The Open edX mobile app for Android!
Java
286
star
6

edx-app-ios

The Open edX mobile app for iOS!
Swift
225
star
7

edx-documentation

Makefile
156
star
8

ecommerce

Service for managing edX's product catalog and handling orders for those products
Python
135
star
9

paragon

💎 An accessible, theme-ready design system built for learning applications and Open edX.
JavaScript
118
star
10

edx-analytics-pipeline

Python
90
star
11

edx-analytics-dashboard

Dashboard to display course analytics to course teams
Python
72
star
12

bok-choy

UI-level acceptance test framework
Python
67
star
13

xblock-sdk

Workbench and example xblocks
JavaScript
60
star
14

edx-ora2

Open Response Assessment Suite
Python
58
star
15

event-tracking

a system for tracking events
Python
55
star
16

course-discovery

Service providing access to consolidated course and program metadata
Python
53
star
17

edx-lint

Custom tooling for pylint and other repo management tools
Python
48
star
18

edx-proctoring

Python
45
star
19

frontend-app-learning

Front-end for the Open edX course experience, implemented using React and Paragon.
JavaScript
44
star
20

edx-tools

a collection of miscellaneous tools for use with the edX platform
Python
43
star
21

edx-enterprise

Python
41
star
22

cs_comments_service

server side of the comment service
Ruby
37
star
23

openedx-demo-course

A demonstration course that can be imported into an Open edX instance
JavaScript
36
star
24

open-edx-proposals

Proposals for Open edX architecture, best practices and processes
Python
35
star
25

xqueue

XQueue defines an interface for the LMS to communicate with external grader services.
Python
35
star
26

frontend-template-application

A template repository for creating Open edX frontend applications. 💿➡️📀
JavaScript
34
star
27

studio-frontend

📝 React front end for edX Studio
JavaScript
33
star
28

edx-bootstrap

Bootstrap theme for Open edX
JavaScript
33
star
29

frontend-platform

A framework for Open edX micro-frontend applications.
JavaScript
31
star
30

license-manager

Django backend for managing licenses and subscriptions
Python
30
star
31

edx-analytics-data-api

Python
29
star
32

repo-tools

Tools for repo maintenance, etc.
Python
28
star
33

django-user-tasks

A Django application for managing user-triggered asynchronous tasks.
Python
27
star
34

edx-cookiecutters

Open edx public templates for apps, libraries and services.
Python
26
star
35

i18n-tools

Tools to help with internationalization and localization of Open edX projects
Python
25
star
36

edx-django-utils

edX utilities for Django Application development.
Python
25
star
37

xblock-lti-consumer

Python
24
star
38

wg-build-test-release

Open edX Build / Test / Release Working Group
24
star
39

auth-backends

Custom authentication backends and views for edX services
Python
22
star
40

frontend-app-admin-portal

edx-portal is a frontend that provides branded learning experiences.
JavaScript
20
star
41

django-config-models

Configuration models for Django allowing config management with auditing.
Python
20
star
42

xblock-utils

Python
20
star
43

openedx-app-ios

The mobile app for iOS for the Open EdX Platform.
Swift
19
star
44

enterprise-catalog

A Django-based microservice for handling Enterprise catalogs, associating enterprise customers with curated courses from the full course catalog.
Python
18
star
45

credentials

Service hosting course and program certificates
Python
18
star
46

xblock-drag-and-drop-v2

JavaScript
17
star
47

frontend-build

Common build scripts and tooling for Open edX micro-frontends.
JavaScript
17
star
48

frontend-app-account

Open edX micro-frontend application for managing user account information.
JavaScript
17
star
49

edx-rest-api-client

Facilitates interaction with edX REST APIs
Python
17
star
50

xqueue-watcher

Python
16
star
51

edx-ui-toolkit

A JavaScript toolkit for building edX user interfaces.
JavaScript
16
star
52

frontend-app-publisher

Publisher frontend to manage course creation and marketing content curation.
JavaScript
15
star
53

cypress-e2e-tests

Cypress E2E Tests for Open edX applications
JavaScript
15
star
54

openedx-app-android

The mobile app for Android for the Open EdX Platform.
Kotlin
15
star
55

edx-notes-api

edx-notes-api
Python
13
star
56

edx-analytics-data-api-client

Python
13
star
57

edx-drf-extensions

edX extensions for Django REST Framework
Python
12
star
58

registrar

A service to facilitate learner-program enrollments.
Python
12
star
59

frontend-app-course-authoring

The micro-frontend for course authoring in Open edX. Frontend interfaces that currently live in Studio/CMS should eventually live here.
JavaScript
12
star
60

frontend-app-learner-portal-enterprise

Enterprise Learner Portal
JavaScript
12
star
61

sample-themes

HTML
12
star
62

frontend-lib-content-components

A library of high-level components for content handling (viewing, editing, etc. of HTML, video, problems, etc.), to be shared by multiple MFEs.
JavaScript
11
star
63

openedx-events

Open edX events from the Hooks Extensions Framework
Python
11
star
64

frontend-app-profile

Open edX micro-frontend application for managing user profile information.
JavaScript
11
star
65

xblock-google-drive

Python
11
star
66

platform-roadmap

Tracking the maintenance, enhancement, and advancement of the Open edX project.
11
star
67

mdrst

Markdown-to-RST Cheatsheet Maker
Python
11
star
68

edx-enterprise-data

The edX Enterprise Data repo is the home to tools and products related to providing access to Enterprise related data.
Python
11
star
69

edx-ace

edX's Automated Communication Engine
Python
11
star
70

edx-search

Python
11
star
71

frontend-app-gradebook

Instructor grade book tool
JavaScript
10
star
72

openedx-wordpress-ecommerce

You can sell your Open edX courses with WooCommerce using this free and open-source WordPress plugin.
PHP
10
star
73

openedx-k8s-harmony

A Prototype Helm Chart for deploying multiple Open edX instances (via Tutor) onto a cluster.
HCL
10
star
74

tutor-contrib-aspects

The Open Analytics Reference System - Tutor plugin
Python
10
star
75

frontend-app-payment

JavaScript
9
star
76

event-routing-backends

Consume edx tracking events and transform/transmit them to other LRSs.
Python
9
star
77

tubular

A repo for edx pipeline related scripts.
Python
9
star
78

edx-val

Python
9
star
79

edx-submissions

API for creating submissions and scores
Python
9
star
80

openedx-webhooks

Webhooks for the Open edX GitHub and JIRA
Python
9
star
81

edx-organizations

Python
8
star
82

completion

A library for tracking completion of blocks by learners in edX courses.
Python
8
star
83

edx-rbac

Library to help managing role based access controls for django apps
Python
8
star
84

web-fragments

Provides the ability to render fragments of web pages
Python
8
star
85

edx-analytics-configuration

Python
7
star
86

opaque-keys

Python
7
star
87

frontend-component-header

JavaScript
7
star
88

xblock-image-explorer

Python
7
star
89

frontend-app-ecommerce

Open edX micro-frontend application for managing e-commerce information.
JavaScript
7
star
90

frontend-app-authn

Open edX micro-frontend application for new login and registration experience.
JavaScript
7
star
91

cc2olx

A library to convert Common Cartridge Courses to OLX.
Python
7
star
92

openedx-filters

Open edX filters from the Hooks Extensions Framework
Python
7
star
93

edx-repo-health

Python
6
star
94

frontend-enterprise

Frontend utilities for enterprise features.
JavaScript
6
star
95

ecommerce-worker

Python
6
star
96

api-doc-tools

Tools for writing and generating API documentation for edX REST APIs
Python
6
star
97

frontend-app-discussions

A React-based micro frontend for the Open edX discussion forums.
JavaScript
6
star
98

frontend-component-footer

Site footer component for edX frontend apps.
JavaScript
6
star
99

frontend-app-learner-portal-programs

The learner portal allows a customized experience of learner-facing micro-frontend page components.
JavaScript
6
star
100

edx-app-test

Automated testing for edX Android and iOS mobile applications.
Python
6
star