bind ansible and awx virtualenvs readonly so that jobs can't modify them

see: https://github.com/ansible/ansible-tower/issues/7558
2026-05-01 04:11:56 -05:00 · 2017-09-06 14:12:47 -07:00
parent a2ca0e6012
commit a9c9ecb5ea
2 changed files with 14 additions and 1 deletions
--- a/awx/main/tests/unit/test_tasks.py
+++ b/awx/main/tests/unit/test_tasks.py
@@ -281,6 +281,15 @@ class TestGenericRun(TestJobExecution):
        args, cwd, env, stdout = call_args
        assert args[0] == 'bwrap'

+    def test_bwrap_virtualenvs_are_readonly(self):
+        self.task.run(self.pk)
+
+        assert self.run_pexpect.call_count == 1
+        call_args, _ = self.run_pexpect.call_args_list[0]
+        args, cwd, env, stdout = call_args
+        assert '--ro-bind %s %s' % (settings.ANSIBLE_VENV_PATH, settings.ANSIBLE_VENV_PATH) in ' '.join(args)  # noqa
+        assert '--ro-bind %s %s' % (settings.AWX_VENV_PATH, settings.AWX_VENV_PATH) in ' '.join(args)  # noqa
+
    def test_awx_task_env(self):
        patch = mock.patch('awx.main.tasks.settings.AWX_TASK_ENV', {'FOO': 'BAR'})
        patch.start()