[apparmor] [patch] split off apache permissions to abstractions/apache2-common

Steve Beattie steve at nxnw.org
Wed Jan 4 22:35:41 UTC 2012 

On Thu, Dec 22, 2011 at 01:17:57AM +0100, Christian Boltz wrote:
> the attached patch splits off various permissions from the httpd2-
> prefork profile to abstractions/apache2-common. Additionally, it adds 
> read permissions for /**/.htaccess and /dev/urandom to apache2-common.
> 
> The patch is based on a profile abstraction from darix. I made some 
> things more strict (compared to darix' profile), and OTOH added some 
> things that are needed on my servers.
> 
> For reference: Darix sent me a file abstractons/apache-vhost-base (note 
> the different name, I merged into apache2-common).
> Original abstractions/apache-vhost-base from darix:
> 
>   network,
> 
>   @{PROC}/**/attr/current rw,
> 
>   # htaccess files - for what ever it is worth
>   /**.htaccess            r,
> 
>   # error pages
>   /usr/share/apache2/**   r,
> 
> 
> BTW: Darix' profile has @{PROC}/**/attr/current rw, however my 
> experience is I only need @{PROC}/*/attr/current w (no r). 
> I never needed   @{PROC}/*/task/*/attr/current.
> - Does apache really need write access to both variants? (I doubt.)

John is correct the mod_apparmor does not read from
@{PROC}/*/attr/current, it only writes to it.

> - What's the difference between both variants?

> Note: My version of abstractions/apache2-common does not allow to read 
> /.htaccess (I changed /**.htaccess -> /**/.htaccess) which slightly 
> reduces permissions for ^HANDLING_UNTRUSTED_INPUT. However I doubt 
> someone has a .htaccess in / ;-)
> 
> The other changes I did do not remove permissions from the profile in 
> bzr because those permissions didn't exist there - they exist only in 
> the profile and abstractions from darix.
> 
> I'm also nominating this patch for the 2.7 branch (maybe except 
> disallowing /.htaccess for ^HANDLING_UNTRUSTED_INPUT  if you are afraid 
> it breaks some setups)

I have no issue dropping to /**/.htaccess for 2.7 or trunk.

Acked-By: Steve Beattie <sbeattie at ubuntu.com>

... with some inline comments.

Thanks!

> === modified file 'profiles/apparmor.d/abstractions/apache2-common'
> --- profiles/apparmor.d/abstractions/apache2-common	2010-01-03 21:16:38 +0000
> +++ profiles/apparmor.d/abstractions/apache2-common	2011-12-21 23:57:10 +0000
> @@ -1,9 +1,20 @@
>  # vim:syntax=apparmor
>  
> +# This file contains basic permissions for Apache and every vHost
> +
> +  #include <abstractions/nameservice>
> +
>    # Apache
>    network inet stream,
> +  network inet6 stream,

I'm actually surprised this is needed given the inclusion of
abstractions/nameservice

> +  # apache manual, error pages and icons
>    /usr/share/apache2/** r,
>  
>    # changehat itself
>    /proc/*/attr/current                        w,
>  
> +  # htaccess files - for what ever it is worth
> +  /**/.htaccess            r,
> +
> +  /dev/urandom            r,
> +
> 
> === modified file 'profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork'
> --- profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork	2011-08-08 20:22:03 +0000
> +++ profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork	2011-12-21 23:58:09 +0000
> @@ -12,6 +12,7 @@
>  #include <tunables/global>
>  
>  /usr/sbin/httpd2-prefork {
> +  #include <abstractions/apache2-common>
>    #include <abstractions/base>
>    #include <abstractions/consoles>
>    #include <abstractions/kerberosclient>
> @@ -78,8 +79,6 @@
>    /usr/local/tomcat/conf/mod_jk.conf r,
>    /usr/local/tomcat/conf/workers-ajp12.properties r,
>    /usr/sbin/httpd2-prefork r,
> -  /usr/share/apache2/error/* r,
> -  /usr/share/apache2/error/include/* r,
>    /usr/share/misc/magic.mime r,
>    /usr/share/snmp/mibs r,
>    /usr/share/snmp/mibs/*.{txt,mib} r,
> @@ -125,21 +124,18 @@
>    /srv/www/icons/*.{gif,jpg,png}     r,
>    /srv/www/vhosts                    r,
>    /srv/www/vhosts/**                 r,
> -  # SuSE location of the apache manual + error pages
> -  /usr/share/apache2/**              r,
>  
>    # php session state
>    /var/lib/php/sess_*                rwl,
>  
>  
>    ^HANDLING_UNTRUSTED_INPUT {
> -    #include <abstractions/nameservice>
> +    #include <abstractions/apache2-common>

I recognize you're not adding permissions here so it's not a failing
of your patch, but I really dislike having abstractions/nameservice
included within the HANDLING_UNTRUSTED_INPUT hat, because it
grants access to so much stuff. The HANDLING_UNTRUSTED_INPUT hat is
intended to be a minimal set of privileges needed while parsing an
http request. Once it's been parsed, then mod_apparmor is supposed
to switch to the appropriate hat for the request which may have wider
privileges (but still a subset of the whole).

(Ideally, some form of privilege separation would get added to apache
proper.)

>      /var/log/apache2/*     w,
> -    /**.htaccess           r,
>    }
>  
>    ^DEFAULT_URI {
> -    #include <abstractions/nameservice>
> +    #include <abstractions/apache2-common>
>      #include <abstractions/base>
>  
>      # Note that mod_perl, mod_php, mod_python, etc, allows in-apache
> @@ -176,8 +172,6 @@
>      /srv/www/icons/*.{gif,jpg,png}     r,
>      /srv/www/vhosts                    r,
>      /srv/www/vhosts/**                 r,
> -    # SuSE location of the apache manual + error pages
> -    /usr/share/apache2/**              r,
>  
>      # php session state
>      /var/lib/php/sess_*                rwl,
> 

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20120104/c602cc7e/attachment.pgp>

More information about the AppArmor mailing list