Secure codejail code-exec

[timmc-edx]

The codejail-service IDA currently runs all code directly, without sandboxing. We need to ensure it runs code securely in all circumstances.

Acceptance criteria

• Testing procedure is complete enough to validate security of a deployment's sandboxing: Create codejail functionality and security test script #896 (parallel work)
• Devstack deployment runs code-exec securely (or, if manual steps are required, rejects code-exec until those steps are taken)
• CODEJAIL_ENABLED is still disabled by default, and is not yet enabled in edge and prod
• If IDA is misconfigured, refuse to answer code-exec calls, and return a 500 on the healthcheck endpoint
• Go through apparmor profile carefully and make sure we understand every line, stripping it down to just the most essential and restrictive profile that still works.

Implementation

• Add configuration and startup checks in IDA
  • feat: Configure codejail and run safety check at startup openedx/codejail-service#10
• Update Dockerfile with sandbox location, sandbox user account, Python 3.8, etc. See https://github.com/openedx/codejail for necessary components.
  • feat: Set up sandbox environment inside codejail image public-dockerfiles#103
• Add security-opt docker config to devstack, with manual steps documented for installing the AppArmor profile (see https://docs.docker.com/engine/security/apparmor/)
  • Add appropriate AppArmor profile in repository
    • An outer profile that applies to the container, and an inner profile that confines the sandbox user and binary
    • Start from the existing https://github.com/eduNEXT/tutor-contrib-codejail/blob/main/tutorcodejail/templates/codejail/apps/profiles/docker-edx-sandbox but also compare to 2U's apparmor profile
  • feat: AppArmor confinement for codejail-service devstack#109