bind ansible and awx virtualenvs readonly so that jobs can't modify them

see: https://github.com/ansible/ansible-tower/issues/7558

awx/main/tests/unit/test_tasks.py

@@ -281,6 +281,15 @@ class TestGenericRun(TestJobExecution):
         args, cwd, env, stdout = call_args
         assert args[0] == 'bwrap'
 
+    def test_bwrap_virtualenvs_are_readonly(self):
+        self.task.run(self.pk)
+
+        assert self.run_pexpect.call_count == 1
+        call_args, _ = self.run_pexpect.call_args_list[0]
+        args, cwd, env, stdout = call_args
+        assert '--ro-bind %s %s' % (settings.ANSIBLE_VENV_PATH, settings.ANSIBLE_VENV_PATH) in ' '.join(args)  # noqa
+        assert '--ro-bind %s %s' % (settings.AWX_VENV_PATH, settings.AWX_VENV_PATH) in ' '.join(args)  # noqa
+
     def test_awx_task_env(self):
         patch = mock.patch('awx.main.tasks.settings.AWX_TASK_ENV', {'FOO': 'BAR'})
         patch.start()

awx/main/utils/common.py

@@ -699,7 +699,11 @@ def wrap_args_with_proot(args, cwd, **kwargs):
         show_paths = [cwd, kwargs['private_data_dir']]
     else:
         show_paths = [cwd]
-    show_paths.extend([settings.ANSIBLE_VENV_PATH, settings.AWX_VENV_PATH])
+    for venv in (
+        settings.ANSIBLE_VENV_PATH,
+        settings.AWX_VENV_PATH
+    ):
+        new_args.extend(['--ro-bind', venv, venv])
     show_paths.extend(getattr(settings, 'AWX_PROOT_SHOW_PATHS', None) or [])
     show_paths.extend(kwargs.get('proot_show_paths', []))
     for path in sorted(set(show_paths)):