Look through old apparmor profile to find possible codejail-service problems

[timmc-edx]

The existing apparmor profile for 2U's deployment of edxapp has additional permissions that the new profile doesn't have. We should look through this to discover additional functionality test cases that might not show up during the dark launch period. (For example, matplotlib.)

Analysis

There are two apparmor profiles in the configuration repo:

• I'm pretty sure the one we actually use is https://github.com/edx/configuration/blob/master/playbooks/roles/edxapp/templates/code.sandbox.j2 (via the path main -> python_sandbox_env)
• There's also one in the codejail role but I'm pretty sure this is unused.

Working from the one in the edxapp role:

• /tmp/codejail-*/ -- same as in new profile
• Various things in /usr/lib/ -- I suspect abstractions/base actually takes care of this? But it's possible that things that use json, ctypes, heapq, io, csv, datetime, elementtree, pyexpat, and future builtins would fail.
  • Confirmed, abstractions/base should permit all of these:

      /{usr/,}lib{,32,64}/**                r,
      /{usr/,}lib{,32,64}/**.so*       mr,
    

• Various matplotlib related things:
  • A claim that matplotlib needs to be able to write inside the .config and .cache subdirectories of the sandbox venv, for temp caches. This is sort of true; we just need to give it some temp dir to use -- otherwise import matplotlib fails. ARCHBOM-2180 (matplotlib) #972 will take care of this.
  • More /usr/lib things related to matplotlib (termios, parser) -- again, abstractions/base takes care of these
  • Ability to read system fonts (harmless, but should have test case if we need to add this to the profile). We'll check on this in matplotlib testing in codejail-service #976
• /proc/*/mounts r, -- this is just weird and I'm skeptical that it's actually needed

[timmc-edx]

Turns out just trying to import matplotlib provokes a problem:

>>> import matplotlib
Traceback (most recent call last):
  File "/sandbox/venv/lib/python3.8/site-packages/matplotlib/__init__.py", line 522, in _get_config_or_cache_dir
    tmpdir = tempfile.mkdtemp(prefix="matplotlib-")
  File "/usr/lib/python3.8/tempfile.py", line 502, in mkdtemp
    prefix, suffix, dir, output_type = _sanitize_params(prefix, suffix, dir)
  File "/usr/lib/python3.8/tempfile.py", line 256, in _sanitize_params
    dir = gettempdir()
  File "/usr/lib/python3.8/tempfile.py", line 441, in gettempdir
    tempdir = _get_default_tempdir()
  File "/usr/lib/python3.8/tempfile.py", line 357, in _get_default_tempdir
    raise FileNotFoundError(_errno.ENOENT,
FileNotFoundError: [Errno 2] No usable temporary directory found in ['/tmp', '/var/tmp', '/usr/tmp', '/app']

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/sandbox/venv/lib/python3.8/site-packages/matplotlib/__init__.py", line 965, in <module>
    dict.update(rcParams, _rc_params_in_file(matplotlib_fname()))
  File "/sandbox/venv/lib/python3.8/site-packages/matplotlib/__init__.py", line 613, in matplotlib_fname
    for fname in gen_candidates():
  File "/sandbox/venv/lib/python3.8/site-packages/matplotlib/__init__.py", line 610, in gen_candidates
    yield os.path.join(get_configdir(), 'matplotlibrc')
  File "/sandbox/venv/lib/python3.8/site-packages/matplotlib/__init__.py", line 303, in wrapper
    ret = func(**kwargs)
  File "/sandbox/venv/lib/python3.8/site-packages/matplotlib/__init__.py", line 556, in get_configdir
    return _get_config_or_cache_dir(_get_xdg_config_dir)
  File "/sandbox/venv/lib/python3.8/site-packages/matplotlib/__init__.py", line 524, in _get_config_or_cache_dir
    raise OSError(
OSError: Matplotlib requires access to a writable cache directory, but the default path (/home/sandbox/.config/matplotlib) is not a writable directory, and a temporary directory could not be created; set the MPLCONFIGDIR environment variable to a writable directory

I think we'll want to set MPLCONFIGDIR to a temp dir inside the current sandbox execution. (Not a global dir.)

[timmc-edx]

Two changes are needed to make import matplotlib work:

• Raise VMEM limit to at least 300 MB, otherwise we get a segfault with no output: fix: Give codejail executions more memory (to accommodate matplotlib) devstack#120
• Set MPLCONFIGDIR, e.g. using os.environ['MPLCONFIGDIR'] = 'tmp' before the import -- but we probably want to start setting this in edxapp.

[robrap]

@timmc-edx: Is this ticket complete other than the 2 matplotlib AC? I'm wondering if it makes sense to roll this and the other ticket into a single matplotlib ticket, and then close this ticket?

• ARCHBOM-2180 (matplotlib) #972

Note that from the title of this ticket I think you completed it, right?

[timmc-edx]

Yeah, I'll move the matplotlib-related parts into ARCHBOM-2180 and close this.

[timmc-edx]

Actually, moved those to #976 -- this is basically blocked on dark launch.