bind ansible and awx virtualenvs readonly so that jobs can't modify them

see: https://github.com/ansible/ansible-tower/issues/7558
2026-04-23 16:31:50 -05:00 · 2017-09-06 14:12:47 -07:00
parent a2ca0e6012
commit a9c9ecb5ea
2 changed files with 14 additions and 1 deletions
--- a/awx/main/utils/common.py
+++ b/awx/main/utils/common.py
@@ -699,7 +699,11 @@ def wrap_args_with_proot(args, cwd, **kwargs):
        show_paths = [cwd, kwargs['private_data_dir']]
    else:
        show_paths = [cwd]
-    show_paths.extend([settings.ANSIBLE_VENV_PATH, settings.AWX_VENV_PATH])
+    for venv in (
+        settings.ANSIBLE_VENV_PATH,
+        settings.AWX_VENV_PATH
+    ):
+        new_args.extend(['--ro-bind', venv, venv])
    show_paths.extend(getattr(settings, 'AWX_PROOT_SHOW_PATHS', None) or [])
    show_paths.extend(kwargs.get('proot_show_paths', []))
    for path in sorted(set(show_paths)):