Install CodeJail Sandbox

Before running the commands shown on this page, you should load the Bitnami stack environment by executing the installdir/use_APPNAME script (Linux and MacOS) or by clicking the shortcut in the Start Menu under “Start -> Bitnami APPNAME Stack -> Application console” (Windows). On OS X VMs, the installation directory is /opt/bitnami and OS X VM users can click the “Open Terminal” button to run commands. Learn more about the Bitnami stack environment and about OS X VMs.

CodeJail manages the execution of untrusted code in secure sandboxes. It is designed primarily for Python execution, but can be used for other languages as well.

A CodeJail sandbox consists of several pieces:

  • Sandbox environment: Language setup (e.g. Python) and associated core packages.
  • Sandbox packages: Additional packages needed for a given run.
  • Untrusted packages: Code and data submitted by students to be tested on the server.
  • OS packages: System libraries needed to run the language (e.g. Python).

Visit the CodeJail official documentation to learn more about CodeJail.

Since the Eucalyptus version, a CodeJail sandbox is already included in the Open edX Stack. You can find it in installdir/apps/edx/venvs/edxapp-sandbox. Despite it being already included, there are some extra steps that must be done to enforce its security and make it usable by the LMS.

Enforce edX Sandbox security

The edX security is enforced with AppArmor. To install and configure it, follow the steps below.

  • Install AppArmor:

    • Debian/Ubuntu: You can install AppArmor on a Debian-based OS by executing:

      $ sudo apt-get install apparmor
    • Fedora/RHEL/CentOS: You can install AppArmor on a Centos/Fedora/Red-Hat based distribution follow the steps described in the AppArmor official wiki documentation.

    • Other Linux distributions: Look for available AppArmor distributions for your operating system. If your operating system doesn’t provide any, you will need to install it from source.

  • Create a user for the sandbox:

    $ sudo addgroup sandbox
    $ sudo adduser --disabled-login sandbox --ingroup sandbox
  • Add permissions for the Apache daemon user to execute commands as sandbox user:

    $ sudo visudo -f /etc/sudoers.d/01-sandbox
  • A text editor will open, add the following content:

    daemon ALL=(sandbox) SETENV:NOPASSWD:installdir/apps/edx/venvs/edxapp-sandbox/bin/python
    daemon ALL=(sandbox) SETENV:NOPASSWD:/usr/bin/find
    daemon ALL=(ALL) NOPASSWD:/usr/bin/pkill
  • Create a file for AppArmor at /etc/apparmor.d/opt.bitnami.apps.edx.venvs.edxapp-sandbox.bin.python and populate it with this content:

    #include <tunables/global>
    installdir/apps/edx/venvs/edxapp-sandbox/bin/.python2.7 {
        #include <abstractions/base>
        #include <abstractions/python>
        # If you have code that the sandbox must be able to access, add lines
        # pointing to those directories:
        installdir/apps/edx/venvs/edxapp-sandbox/** mr,
        installdir/apps/edx/edx-platform/common/lib/** mr,
        installdir/python/lib/** mr,
        installdir/common/lib/** mr,
        /tmp/codejail-*/ rix,
        /tmp/codejail-*/** wrix,
  • Load the previous AppArmor configuration file with apparmor_parser and restart the Apache server:

    $ sudo apparmor_parser /etc/apparmor.d/opt.bitnami.apps.edx.venvs.edxapp-sandbox.bin.python
    $ sudo installdir/ restart apache
Last modification September 28, 2020