From 51321b30f07994627c5441175ec4c02f2717fb77 Mon Sep 17 00:00:00 2001 From: Bill Nottingham Date: Fri, 4 Nov 2016 22:49:34 -0400 Subject: [PATCH] Unshare PID namespace when using bubblewrap. This prevents some potential nastiness with playbooks running as the awx user. --- awx/main/utils.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/awx/main/utils.py b/awx/main/utils.py index 4597975a36..58123972b7 100644 --- a/awx/main/utils.py +++ b/awx/main/utils.py @@ -557,7 +557,7 @@ def wrap_args_with_proot(args, cwd, **kwargs): - /tmp (except for own tmp files) ''' from django.conf import settings - new_args = [getattr(settings, 'AWX_PROOT_CMD', 'bwrap'), '--dev-bind', '/', '/'] + new_args = [getattr(settings, 'AWX_PROOT_CMD', 'bwrap'), '--unshare-pid', '--dev-bind', '/', '/'] hide_paths = ['/etc/tower', '/var/lib/awx', '/var/log', tempfile.gettempdir(), settings.PROJECTS_ROOT, settings.JOBOUTPUT_ROOT]