[apparmor] apache2-mpm-itk
Christian Boltz
apparmor at cboltz.de
Mon Feb 6 10:18:46 UTC 2012
Hello,
Am Samstag, 4. Februar 2012 schrieb Jeroen Ooms:
> On Sat, Feb 4, 2012 at 11:48 AM, Jeroen Ooms
<jeroen.ooms at stat.ucla.edu>wrote:
> > I was wondering if anyone tried, or knows if the
> > apache2-mpm-itk<http://mpm-itk.sesse.net/> module (which is a mod
> > of mpm-prefork) is compatible with mod-apparmor?
> I tested it and it works like a charm. I created a
> profile /usr/lib/apache2/mpm-itk/apache2 which is identical to the
> prefork one, with the only difference that the
> ^HANDLING_UNTRUSTED_INPUT hat by default includes:
>
> capability setgid,
> capability setuid,
>
> Which is obvious because this is exactly the purpose of itk.
Indeed ;-)
> Maybe this file could be included in the libapache2-mod-apparmor
> package?
I'd prefer to have in in the apparmor package/tarball so that all
distributions get the profile automatically.
We should also consider to split off large parts of the apache
profile(s) to a separate file (program-chunks/apache?) that can be
included in the httpd2-prefork and apache2-mpm-itk profile.
Otherwise we'll get a maintenance hell sooner or later...
Regards,
Christian Boltz
--
Linux - und dein PC macht nie wieder blau.
More information about the AppArmor
mailing list