CodeJail Support

[fdns]

Is your feature request related to a problem? Please describe.
I was looking into implementing CodeJail (https://github.com/edx/codejail), as it can be an attack vector for tutor instances (and openedx in general), as it´s in charge of running untrusted code from studio and LMS (Ex: Custom Python-Evaluated Input).

Currently CodeJail is not supported in tutor, and is executed on the openedx context, which have a lot more permissions.

I will be out out this month and can´t continue working on this feature, so I will leave what I have done to support it, if anyone can continue (I will be able to continue on march).

Current Work
To implement codejail in the docker environment, first I installed manually the codejail code in docker as a build step, adding the sandbox user to the environment.

RUN useradd -ms /bin/bash sandbox && \
    git clone https://github.com/edx/codejail /openedx/sandbox && \
    virtualenv /openedx/sandbox/env && \
    /openedx/sandbox/env/bin/pip install -r /openedx/sandbox/requirements/sandbox.txt && \
    chown -R sandbox:sandbox /openedx/sandbox && \
    apt-get update && apt-get install sudo

After this, you must add in the cms.env and lms.env config files the codejail items with the correct paths.

  "CODE_JAIL": {
    "python_bin": "/openedx/sandbox/env/bin/python2",
    "user": "sandbox",
    "limits": {
      "CPU": 1,
      "VMEM": 268435456,
      "REALTIME": 3,
      "FSIZE": 1048576
    }
  },

After this, you must add the apparmor profile to jail the code executed by the sandbox (In the host system). I used the original apparmor profile included in the repository, and combined it with the docker-default environment, so we can execute the docker instance with the default security applied. This is done by creating /etc/apparmor.d/containers/docker-edx-sandbox with the following content, and activating it by running sudo apparmor_parser -r -W /etc/apparmor.d/containers/docker-edx-sandbox

#include <tunables/global>

profile docker-edx-sandbox flags=(attach_disconnected,mediate_deleted) {
    #include <abstractions/base>

    network,
    capability,
    file,
    umount,
    signal (receive) peer=unconfined,
    signal (receive) peer=snap.docker.dockerd,
    signal (send,receive) peer=docker-edx-sandbox,

    deny @{PROC}/* w,   # deny write for all files directly in /proc (not in a subdir)
    # deny write to files not in /proc/<number>/** or /proc/sys/**
    deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w,
    deny @{PROC}/sys/[^k]** w,  # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel)
    deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w,  # deny everything except shm* in /proc/sys/kernel/
    deny @{PROC}/sysrq-trigger rwklx,
    deny @{PROC}/kcore rwklx,

    deny mount,

    deny /sys/[^f]*/** wklx,
    deny /sys/f[^s]*/** wklx,
    deny /sys/fs/[^c]*/** wklx,
    deny /sys/fs/c[^g]*/** wklx,
    deny /sys/fs/cg[^r]*/** wklx,
    deny /sys/firmware/** rwklx,
    deny /sys/kernel/security/** rwklx,

    ptrace (trace,read,tracedby,readby) peer=docker-edx-sandbox,

    /openedx/sandbox/env/bin/python2 Cx -> child,
    profile child flags=(attach_disconnected,mediate_deleted){
        #include <abstractions/base>
        #include <abstractions/python>

        /openedx/sandbox/env/** mr,
        /tmp/codejail-*/ rix,
        /tmp/codejail-*/** wrix,
        allow /dev/pts/0 rw,
    }
}

Finally, you must setup the security_opt of the docker instances by adding in the docker-compose the following line (in lms, cms, lms_worker, cms_worker)

  cms:
    ...
    security_opt:
      - apparmor:docker-edx-sandbox

After restarting the instances, you will have a sandboxed instance, you can test it by running the following command (Which must output nothing)

# Normal
docker-compose exec cms /bin/sh -c "python -c \"import os; os.system('ls /etc')\""
# Sandbox
docker-compose exec cms /bin/sh -c "/openedx/sandbox/env/bin/python2 -c \"import os; os.system('ls /etc')\""

Current Problems
All tests were done only on the cms context, as I wanted to support one context, but it should apply to the others directly.

1. CodeJail did´t detect the configuration, and I had to run the configuration code (https://github.com/edx/codejail/blob/master/codejail/django_integration.py) manually in the settings file, appending this to the end.

import codejail.jail_code
python_bin = CODE_JAIL.get('python_bin')
if python_bin:
    user = CODE_JAIL['user']
    codejail.jail_code.configure("python", python_bin, user=user)

limits = CODE_JAIL.get('limits', {})
for name, value in limits.items():
    codejail.jail_code.set_limit(name, value)

2. When running an xblock example, I get the following error (the lines might be different as I was testing for changes)

cms_1            | 2020-01-31 18:00:37 [10] [DEBUG] GET /xblock/container/block-v1:eol+CC050+2019_02+type@vertical+block@36d78f9070f64369aa9d8e1dfad9058e
cms_1            | 2020-01-31 18:00:42 [10] [DEBUG] POST /event
cms_1            | 2020-01-31 18:00:42 [10] [DEBUG] POST /preview/xblock/block-v1:eol+CC050+2019_02+type@problem+block@88f87468890c43cfbbaf03104e7be87c/handler/xmodule_handler/problem_check
cms_1            | 2020-01-31 18:00:42,772 INFO 10 [codejail] subproc.py:46 - Executed jailed code 88f87468890c43cfbbaf03104e7be87c in /tmp/codejail-3KyIQv, with PID 225
cms_1            | 2020-01-31 18:00:42,795 ERROR 10 [capa.capa_problem] capa_problem.py:886 - Error while execing script code:
cms_1            |
cms_1            | def test_add_to_ten(expect, ans):
cms_1            |     return test_add(10, ans)
cms_1            |
cms_1            |
cms_1            |
cms_1            | def test_add(expect, ans):
cms_1            |     try:
cms_1            |         a1=int(ans[0])
cms_1            |         a2=int(ans[1])
cms_1            |         return (a1+a2) == int(expect)
cms_1            |     except ValueError:
cms_1            |         return False
cms_1            |
cms_1            | Traceback (most recent call last):
cms_1            |   File "/openedx/edx-platform/common/lib/capa/capa/capa_problem.py", line 883, in _extract_context
cms_1            |     unsafely=self.capa_system.can_execute_unsafe_code(),
cms_1            |   File "/openedx/edx-platform/common/lib/capa/capa/safe_exec/safe_exec.py", line 157, in safe_exec
cms_1            |     raise e
cms_1            | SafeExecException: Couldn't execute jailed code: stdout: '', stderr: 'sudo: unable to execute /openedx/sandbox/env/bin/python2: Resource temporarily unavailable\n' with status code: -1
cms_1            | 2020-01-31 18:00:42,795 WARNING 10 [edx.courseware] capa_base.py:266 - cannot create LoncapaProblem block-v1:eol+CC050+2019_02+type@problem+block@88f87468890c43cfbbaf03104e7be87c: Error while executing script code: Couldn't execute jailed code: stdout: '', stderr: 'sudo: unable to execute /openedx/sandbox/env/bin/python2: Resource temporarily unavailable\n' with status code: -1

Solving these two problems should be enough to have something ready to integrate into tutor, and will be a lot more secure as a production setup. I will answer any question I can (If they don´t shutdown my computer at work with everything working)

Best,
Felipe.

[regisb]

Hi @fdns! Thanks for the detailed report, I really appreciate the documentation effort.

I need a quick refresher: what is CodeJail used for? Unless I'm mistaken, CodeJail is only used for interactive python exercises, right? What is the corresponding xblock, and is it installed in a default Open edX installation?

To be completely transparent: I think that Codejail is terrible and if possible I would really like not to have to include it in Tutor. But if it's the only option to run interative python exercises, then we'll work on the integration.

[fdns]

CodeJail is used for "Custom Python-Evaluated Input" (https://edx.readthedocs.io/projects/edx-partner-course-staff/en/latest/exercises_tools/custom_python.html#create-a-custom-python-evaluated-input-problem-in-studio, https://github.com/edx/edx-platform/blob/61e1eda20df2825a409db3e2d36c69d7c36d3e2d/common/lib/xmodule/xmodule/capa_module.py#L40 if i'm not wrong), that is included by default in OpenedX. and it works by default in tutor.

The only problem is that it has the same access as the account running the lms, so it can see everything (access keys, database, etc. Try following the cms logs and doing something like "import os;os.system("cat /etc/shadow")").

I'm inclined to disable the block until we can set the sandbox, or just to leave it disabled until we do something better. It's not something we need right now, but I think it should be taken care of (fixed or disabled temporarily, I also don't like that much the way its setup).

[regisb]

Again @fdns, thanks a bunch for the detailed background information. Indeed, the xblock can be created on a vanilla tutor-deployed platform by hitting the "Problem -> Advanced -> Custom Python-Evaluated Input" buttons.

I think the best way to address this is to run the python code inside a container. Thus we would have a "container in a container". To avoid installing docker inside the docker container, I believe we could run the container with podman. Ideally, this feature would be added to Tutor under the form of a plugin. Meanwhile, I agree with you that the custom-evaluated problems should be deactivated (and I still need to figure out how).

[regisb]

OK this issue has become a burning priority, now that Tutor is slated to replace the native installation (EDIT: see below) a candidate for the replacement of the native installation in Maple. 🔥 💥 🤯

Codejail is a critical feature for multiple Open edX providers and large Open edX installations, so we'll have to work on this, if possible before Lilac is released (June 9th).

Here is the technical solution that I have in mind:

• Add a jailed-python binary to the openedx Docker image. When called, this binary makes a REST API call to the /api/v1/exec/python endpoint of the jailed Docker service. It will pass along all files stored in the temporary folder that contains the script to run.
• The jailed Docker service is a simple Flask app that runs inside a Docker container. It will run something similar to:

result = subprocess.run(
        [
            "docker",
            "run",
            "--rm",
            "--pull=never",
            "python:3.7-alpine",
            "python",
            "-c",
            src,
        ],
        timeout=3,
        stdout=subprocess.PIPE,
        stderr=subprocess.PIPE,
    )

Then, return result.stdout and result.stderr as part of the API response.

• The jailed service includes a Docker client that will point to a remote Docker host, thanks to the following environment variable: DOCKER_HOST=tcp://jailed-dockerhost:2375.
• The jailed-dockerhost service is a privileged container that runs the docker:dind image.
• The jailed-python binary collects the API response and prints to stdout and stderr.
• We configure edx-platform to use the jailed-python binary:

import codejail.jail_code
codejail.jail_code.configure("python", "/path/to/jailed-python", user=None)

I did not prioritize this issue before because, well, no one asked me to do it. I'll be perfectly honest: I can push back other work to focus on this, but it's going to require some funding. I'm in talk with other people who are interested in doing the work themselves, but I'm not sure if they will pull through.

[nedbat]

@regisb a question and a comment:

1. Can you say why you think codejail is "terrible"? Figuring out how to replace it in Tutor will be easier if we had more detail about your concerns.
2. Tutor is not yet slated to "replace the native installation." Native and Tutor will both be supported installations for Lilac, unless I misunderstood your point?

[fdns]

A quick update about this.

Last week I got codejail working on our staging and sandbox environment (This week I will activate it on prod). The apparmor profile its a mix between the default docker apparmor profile and the ansible role that edx installs.

This was applied in a k8s environment that uses containerd (In a different installation, you might want to change the "cri-containerd.apparmor.d").

On the Dockerfile, we just needed to add the user and install the sandbox env (We use --copies to have the binaries for apparmor). This will only run when edx is executed as root (You can probably add the sudoer file and it will work with a user directly). We are also not limiting the resources yet, as it requires to add extra capabilities to the containers.

You can probably add it without the apparmor profile first if you want, but it will not provide the extra security (Like blocking network access).

Dockerfile modifications:

# Setup sandbox
ENV SANDBOX_ENV=/openedx/venv/sandbox
RUN groupadd -r sandbox && useradd -m -r -g sandbox sandbox \
    && mkdir -p $SANDBOX_ENV && chown sandbox:sandbox $SANDBOX_ENV

RUN python3 -m venv --copies $SANDBOX_ENV \
    && $SANDBOX_ENV/bin/pip install --no-cache-dir pip==20.0.2 \
    && $SANDBOX_ENV/bin/pip install --no-cache-dir wheel==0.36.2 \
    # Install numpy before scipy
    && $SANDBOX_ENV/bin/pip install --no-cache-dir $(grep -o "^numpy==\w\+.\w\+.\w\+" requirements/edx-sandbox/py35.txt) \
    && $SANDBOX_ENV/bin/pip install --no-cache-dir -r requirements/edx-sandbox/py35.txt

AppArmor profile:

#include <tunables/global>

profile docker-edx-sandbox flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/base>

  network,
  capability,
  file,
  umount,
  signal (receive) peer=unconfined,
  signal (receive) peer=cri-containerd.apparmor.d,
  signal (send,receive) peer=docker-edx-sandbox,

  deny @{PROC}/* w,   # deny write for all files directly in /proc (not in a subdir)
  # deny write to files not in /proc/<number>/** or /proc/sys/**
  deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w,
  deny @{PROC}/sys/[^k]** w,  # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel)
  deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w,  # deny everything except shm* in /proc/sys/kernel/
  deny @{PROC}/sysrq-trigger rwklx,
  deny @{PROC}/mem rwklx,
  deny @{PROC}/kmem rwklx,
  deny @{PROC}/kcore rwklx,

  deny mount,
  deny /sys/[^f]*/** wklx,
  deny /sys/f[^s]*/** wklx,
  deny /sys/fs/[^c]*/** wklx,
  deny /sys/fs/c[^g]*/** wklx,
  deny /sys/fs/cg[^r]*/** wklx,
  deny /sys/firmware/** rwklx,
  deny /sys/kernel/security/** rwklx,

  ptrace (trace,read) peer=docker-edx-sandbox,

  /openedx/venv/sandbox/bin/python Cx -> child,
  profile child flags=(attach_disconnected,mediate_deleted){
    #include <abstractions/base>
    #include <abstractions/python>

    # Whitelist particiclar shared objects from the system
    # python installation
    #
    /openedx/venv/sandbox/** mr,
    /tmp/codejail-*/ rix,
    /tmp/codejail-*/** wrix,

    #
    # Whitelist particular shared objects from the system
    # python installation
    #
    /usr/lib/python3.8/lib-dynload/_json.so mr,
    /usr/lib/python3.8/lib-dynload/_ctypes.so mr,
    /usr/lib/python3.8/lib-dynload/_heapq.so mr,
    /usr/lib/python3.8/lib-dynload/_io.so mr,
    /usr/lib/python3.8/lib-dynload/_csv.so mr,
    /usr/lib/python3.8/lib-dynload/datetime.so mr,
    /usr/lib/python3.8/lib-dynload/_elementtree.so mr,
    /usr/lib/python3.8/lib-dynload/pyexpat.so mr,
    /usr/lib/python3.8/lib-dynload/future_builtins.so mr,
    /usr/lib/python3.8/lib-dynload/_json.cpython-38-x86_64-linux-gnu.so mr,
    /usr/lib/python3.8/lib-dynload/_hashlib.cpython-38-x86_64-linux-gnu.so mr,

    /openedx/venv/sandbox/.config/ wrix,
    /openedx/venv/sandbox/.cache/ wrix,
    /openedx/venv/sandbox/.config/** wrix,
    /openedx/venv/sandbox/.cache/** wrix,

    # Matplot lib needs fonts to make graphs
    /usr/share/fonts/ r,
    /usr/share/fonts/** r,
    /usr/local/share/fonts/ r,
    /usr/local/share/fonts/** r,

    #
    # Allow access to selections from /proc
    #
    /proc/*/mounts r,
  }
}

[regisb]

Can you say why you think codejail is "terrible"? Figuring out how to replace it in Tutor will be easier if we had more detail about your concerns.

Well, "terrible" is a strong word. Let's just say that it's very difficult to work with, for the following reasons: Codejail assumes that Python code is run using a local binary. I consider that this is a flawed design, because it makes us run jailed code on the same server as the LMS. This is a security contradiction, and also makes it more difficult to separate computing resources. Also, if we want to run the Python executor as a different user, then we need to run and install sudo, which is not usually available inside Docker containers. To avoid all these issues, we need to wrap the python binary in a wrapper that will make a call to a remote service. But that thin wrapper cannot crash or log anything because Codejail interacts with the Python binary by parsing stdout, stderr and the return code.

Now, to be honest, I initially (incorrectly) believed the situation to be even worse, because I assumed that AppArmor was running as a daemon. My understanding was incorrect, and actually there is also a tighter integration than I thought between Docker and AppArmor. Thus, I'd like to investigate the possibility of running jailed code in a separate container constrained by AppArmor.

EDIT: Running AppArmor requires loading an AppArmor profile on the host, which I would rather avoid. I would now like to investigate the possibility of running a Seccomp-limited container with an unprivileged user.

Tutor is not yet slated to "replace the native installation." Native and Tutor will both be supported installations for Lilac, unless I misunderstood your point?

The correct wording would be: "Tutor will replace the native installation in Maple unless major issues are discovered". I'll edit my comment above.

[regisb]

@fdns and others: let's assume that we built a "jail" Docker image that includes an unprivileged user and all the necessary python requirements. Would it be enough to run this Docker image without networking access, or would we need to put in place additional restrictions?

I'm think something along the lines of:

docker run --rm -it --network=none jail python -c "..."

[regisb]

This issue will be resolved in the Maple release thanks to the tutor-contrib-codejail plugin developed and maintained by eduNEXT. Thanks a lot for your great work!