[apparmor] [patch] split off apache permissions to abstractions/apache2-common

Christian Boltz apparmor at cboltz.de
Thu Dec 22 00:17:57 UTC 2011 

Hello,

the attached patch splits off various permissions from the httpd2-
prefork profile to abstractions/apache2-common. Additionally, it adds 
read permissions for /**/.htaccess and /dev/urandom to apache2-common.

The patch is based on a profile abstraction from darix. I made some 
things more strict (compared to darix' profile), and OTOH added some 
things that are needed on my servers.

For reference: Darix sent me a file abstractons/apache-vhost-base (note 
the different name, I merged into apache2-common).
Original abstractions/apache-vhost-base from darix:

  network,

  @{PROC}/**/attr/current rw,

  # htaccess files - for what ever it is worth
  /**.htaccess            r,

  # error pages
  /usr/share/apache2/**   r,


BTW: Darix' profile has @{PROC}/**/attr/current rw, however my 
experience is I only need @{PROC}/*/attr/current w (no r). 
I never needed   @{PROC}/*/task/*/attr/current.
- Does apache really need write access to both variants? (I doubt.)
- What's the difference between both variants?

Note: My version of abstractions/apache2-common does not allow to read 
/.htaccess (I changed /**.htaccess -> /**/.htaccess) which slightly 
reduces permissions for ^HANDLING_UNTRUSTED_INPUT. However I doubt 
someone has a .htaccess in / ;-)

The other changes I did do not remove permissions from the profile in 
bzr because those permissions didn't exist there - they exist only in 
the profile and abstractions from darix.

I'm also nominating this patch for the 2.7 branch (maybe except 
disallowing /.htaccess for ^HANDLING_UNTRUSTED_INPUT  if you are afraid 
it breaks some setups)


Regards,

Christian Boltz
-- 
>> Why? As long as [the bug] is not solved, somebody is working on it.
> or sleeping on it :-)
You mean like zmd? :)
[>> houghi, > jdd and Anders Norrbring in opensuse]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: apache-abstractions-common.diff
Type: text/x-patch
Size: 2523 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20111222/7d91afc1/attachment.bin>

More information about the AppArmor mailing list