[apparmor] [patch] split off apache permissions to abstractions/apache2-common
Christian Boltz
apparmor at cboltz.de
Thu Dec 22 00:17:57 UTC 2011
Hello,
the attached patch splits off various permissions from the httpd2-
prefork profile to abstractions/apache2-common. Additionally, it adds
read permissions for /**/.htaccess and /dev/urandom to apache2-common.
The patch is based on a profile abstraction from darix. I made some
things more strict (compared to darix' profile), and OTOH added some
things that are needed on my servers.
For reference: Darix sent me a file abstractons/apache-vhost-base (note
the different name, I merged into apache2-common).
Original abstractions/apache-vhost-base from darix:
network,
@{PROC}/**/attr/current rw,
# htaccess files - for what ever it is worth
/**.htaccess r,
# error pages
/usr/share/apache2/** r,
BTW: Darix' profile has @{PROC}/**/attr/current rw, however my
experience is I only need @{PROC}/*/attr/current w (no r).
I never needed @{PROC}/*/task/*/attr/current.
- Does apache really need write access to both variants? (I doubt.)
- What's the difference between both variants?
Note: My version of abstractions/apache2-common does not allow to read
/.htaccess (I changed /**.htaccess -> /**/.htaccess) which slightly
reduces permissions for ^HANDLING_UNTRUSTED_INPUT. However I doubt
someone has a .htaccess in / ;-)
The other changes I did do not remove permissions from the profile in
bzr because those permissions didn't exist there - they exist only in
the profile and abstractions from darix.
I'm also nominating this patch for the 2.7 branch (maybe except
disallowing /.htaccess for ^HANDLING_UNTRUSTED_INPUT if you are afraid
it breaks some setups)
Regards,
Christian Boltz
--
>> Why? As long as [the bug] is not solved, somebody is working on it.
> or sleeping on it :-)
You mean like zmd? :)
[>> houghi, > jdd and Anders Norrbring in opensuse]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: apache-abstractions-common.diff
Type: text/x-patch
Size: 2523 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20111222/7d91afc1/attachment.bin>
More information about the AppArmor
mailing list