Choose a place for the virtualenv, call it <SANDENV>. It will be automatically
detected and used if you put it right alongside your existing virtualenv, but
with -sandbox appended. So if your existing virtualenv is in ~/mitx_all/python,
make <SANDENV> be ~/mitx_all/python-sandbox (but you'll need to spell out your
home directory instead of ~).
Other details here that depend on your configuration:
- Your mitx working tree is <MITX>, for example, ~/mitx_all/mitx
- The user running the LMS is <USER>, for example, you on a dev machine,
or www-data on a server.
Create a virtualenv:
$ sudo virtualenv <SANDENV>
Install the sandbox requirements
$ source <SANDENV>/bin/activate
$ sudo pip install -r sandbox-requirements.txt
Add a sandbox user:
$ sudo addgroup sandbox
$ sudo adduser --disabled-login sandbox --ingroup sandbox
Let the web server run the sandboxed Python as sandbox. Create the file
/etc/sudoers.d/01-sandbox:
$ visudo -f /etc/sudoers.d/01-sandbox
<USER> ALL=(sandbox) NOPASSWD:<SANDENV>/bin/python
<USER> ALL=(ALL) NOPASSWD:/bin/kill
Edit an AppArmor profile. The file must be named for the python executable,
but with slashes changed to dots:
#include <tunables/global>
<SANDENV>/bin/python {
#include <abstractions/base>
<SANDENV>/** mr,
<MITX>/common/lib/sandbox-packages/** r,
/usr/local/lib/python2.7/** r,
/usr/lib/python2.7/** rix,
/tmp/** rix,
}
Parse the profiles
$ sudo apparmor_parser <APPARMOR_FILE>
Reactivate your real virtualenv again
