[apparmor] Apache2 mod apparmor security concerns

Seth Arnold seth.arnold at gmail.com
Thu Apr 26 00:07:05 UTC 2012

On Wed, Apr 25, 2012 at 4:27 PM, Jeroen Ooms <jeroen.ooms at stat.ucla.edu> wrote:
> I am running a web service in which I basically allow the user to run
> any custom code. I use AppArmor to prevent malicious use. I am using
> Apache2 apparmor module with a ^hat profile to restrict privileges for
> my service.
> However I am starting to doubt if this can actually be done. Because I
> allow the user to run any code, it can potentially try to call
> aa_change_hat, or create hard links to system files, etc. Will this
> work, or will AppArmor prevent this?

aa_change_hat() is intended to be useful but it is _not_ bulletproof.

If the confined code can introspect the Apache address space through some
flaw in the interpreter being used, the confined code could concievably
discover the randomly-generated magic token and use it to escape the hat
back to the main profile. Once running in the main profile, it could
change hat to any other subprofile defined for Apache and gain whatever
privileges may be granted to only certain subprofiles.

Hardlinking to any system files would be entirely confined by policy --
you may wish to run `apparmor_parser -Qd /path/to/profile` to dump a
version of the policy as the kernel will see it:

$ apparmor_parser -Qd /etc/apparmor.d/usr.bin.irssi
----- Debugging built structures -----
Name:		/usr/bin/irssi
Profile Mode:	Enforce
Capabilities: net_bind_service
--- Entries ---
Mode:	rwa:rwa	Name:	(/dev/full)
Mode:	rwalkmx:	Name:	(/home//.ecryptfs/*/.Private/**)
	link:	(/**)

This can help you see what your abstractions have _also_ granted; when
allowing untrusted users to run completely untrusted code, this is a
reasonable extra precaution to take.

aa_change_hat() is useful but it is not a full memory barrier such
as provided across an execve(2) call. I would not rely solely upon
aa_change_hat() to protect human life, operate nuclear power facilities,
or an aircraft's flight control systems. However, it _is_ useful, and
we do have users that rely upon aa_change_hat() to separate users on
shared hosting environments.

More information about the AppArmor mailing list