[apparmor] [patch] split off apache permissions to abstractions/apache2-common

John Johansen john.johansen at canonical.com
Thu Dec 29 00:18:07 UTC 2011


On 12/21/2011 04:17 PM, Christian Boltz wrote:
> Hello,
>
> the attached patch splits off various permissions from the httpd2-
> prefork profile to abstractions/apache2-common. Additionally, it adds
> read permissions for /**/.htaccess and /dev/urandom to apache2-common.
>
> The patch is based on a profile abstraction from darix. I made some
> things more strict (compared to darix' profile), and OTOH added some
> things that are needed on my servers.
>
> For reference: Darix sent me a file abstractons/apache-vhost-base (note
> the different name, I merged into apache2-common).
> Original abstractions/apache-vhost-base from darix:
>
>    network,
>
>    @{PROC}/**/attr/current rw,
>
>    # htaccess files - for what ever it is worth
>    /**.htaccess            r,
>
>    # error pages
>    /usr/share/apache2/**   r,
>
>
> BTW: Darix' profile has @{PROC}/**/attr/current rw, however my
> experience is I only need @{PROC}/*/attr/current w (no r).
correct.  The w permission is needed for change_hat.  r is needed
to introspect what the current profile/hat is.  I don't think mod_apparmor
does this currently so only w should be required.

> I never needed   @{PROC}/*/task/*/attr/current.
> - Does apache really need write access to both variants? (I doubt.)
Not that I know of, libapparmor only uses the /proc/<pid>/attr/
path

> - What's the difference between both variants?
>
The /proc/<pid>/task/ directory is a set of hardlinks to the tasks that
have been started by this parent process, vs. the flat view of pids in
/proc/<pid>

> Note: My version of abstractions/apache2-common does not allow to read
> /.htaccess (I changed /**.htaccess ->  /**/.htaccess) which slightly
> reduces permissions for ^HANDLING_UNTRUSTED_INPUT. However I doubt
> someone has a .htaccess in / ;-)
>
Ugh, tbh I don't even like /**/.htaccess can we perhaps add a tunable for
this, even if the base value used is just /**/

Basically I really don't like letting .htaccess reside just about anywhere,
and maybe a tunable would make this more palatable

> The other changes I did do not remove permissions from the profile in
> bzr because those permissions didn't exist there - they exist only in
> the profile and abstractions from darix.
>
> I'm also nominating this patch for the 2.7 branch (maybe except
> disallowing /.htaccess for ^HANDLING_UNTRUSTED_INPUT  if you are afraid
> it breaks some setups)
>
Hrmm, I think I am okay with that, sbeattie?

The rest of it looks okay to me

thanks
john

>
> Regards,
>
> Christian Boltz
>
>
>
> === modified file 'profiles/apparmor.d/abstractions/apache2-common'
> --- profiles/apparmor.d/abstractions/apache2-common	2010-01-03 21:16:38 +0000
> +++ profiles/apparmor.d/abstractions/apache2-common	2011-12-21 23:57:10 +0000
> @@ -1,9 +1,20 @@
>  # vim:syntax=apparmor
>
> +# This file contains basic permissions for Apache and every vHost
> +
> +  #include <abstractions/nameservice>
> +
>    # Apache
>    network inet stream,
> +  network inet6 stream,
> +  # apache manual, error pages and icons
>    /usr/share/apache2/** r,
>
>    # changehat itself
>    /proc/*/attr/current                        w,
>
> +  # htaccess files - for what ever it is worth
> +  /**/.htaccess            r,
> +
> +  /dev/urandom            r,
> +
>
> === modified file 'profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork'
> --- profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork	2011-08-08 20:22:03 +0000
> +++ profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork	2011-12-21 23:58:09 +0000
> @@ -12,6 +12,7 @@
>  #include <tunables/global>
  
>  /usr/sbin/httpd2-prefork {
> +  #include <abstractions/apache2-common>
>    #include <abstractions/base>
>    #include <abstractions/consoles>
>    #include <abstractions/kerberosclient>
> @@ -78,8 +79,6 @@
>    /usr/local/tomcat/conf/mod_jk.conf r,
>    /usr/local/tomcat/conf/workers-ajp12.properties r,
>    /usr/sbin/httpd2-prefork r,
> -  /usr/share/apache2/error/* r,
> -  /usr/share/apache2/error/include/* r,
>    /usr/share/misc/magic.mime r,
>    /usr/share/snmp/mibs r,
>    /usr/share/snmp/mibs/*.{txt,mib} r,
> @@ -125,21 +124,18 @@
>    /srv/www/icons/*.{gif,jpg,png}     r,
>    /srv/www/vhosts                    r,
>    /srv/www/vhosts/**                 r,
> -  # SuSE location of the apache manual + error pages
> -  /usr/share/apache2/**              r,
>
>    # php session state
>    /var/lib/php/sess_*                rwl,
>
>
>    ^HANDLING_UNTRUSTED_INPUT {
> -    #include <abstractions/nameservice>
> +    #include <abstractions/apache2-common>
>      /var/log/apache2/*     w,
> -    /**.htaccess           r,
>    }
  
>    ^DEFAULT_URI {
> -    #include <abstractions/nameservice>
> +    #include <abstractions/apache2-common>
>      #include <abstractions/base>
>
>      # Note that mod_perl, mod_php, mod_python, etc, allows in-apache
> @@ -176,8 +172,6 @@
>      /srv/www/icons/*.{gif,jpg,png}     r,
>      /srv/www/vhosts                    r,
>      /srv/www/vhosts/**                 r,
> -    # SuSE location of the apache manual + error pages
> -    /usr/share/apache2/**              r,
>
>      # php session state
>      /var/lib/php/sess_*                rwl,




More information about the AppArmor mailing list