[apparmor] [patch] split off apache permissions to abstractions/apache2-common
John Johansen
john.johansen at canonical.com
Wed Jan 4 23:34:18 UTC 2012
On 01/04/2012 02:35 PM, Steve Beattie wrote:
> On Thu, Dec 22, 2011 at 01:17:57AM +0100, Christian Boltz wrote:
>> the attached patch splits off various permissions from the httpd2-
>> prefork profile to abstractions/apache2-common. Additionally, it adds
>> read permissions for /**/.htaccess and /dev/urandom to apache2-common.
>>
>> The patch is based on a profile abstraction from darix. I made some
>> things more strict (compared to darix' profile), and OTOH added some
>> things that are needed on my servers.
>>
>> For reference: Darix sent me a file abstractons/apache-vhost-base (note
>> the different name, I merged into apache2-common).
>> Original abstractions/apache-vhost-base from darix:
>>
>> network,
>>
>> @{PROC}/**/attr/current rw,
>>
>> # htaccess files - for what ever it is worth
>> /**.htaccess r,
>>
>> # error pages
>> /usr/share/apache2/** r,
>>
>>
>> BTW: Darix' profile has @{PROC}/**/attr/current rw, however my
>> experience is I only need @{PROC}/*/attr/current w (no r).
>> I never needed @{PROC}/*/task/*/attr/current.
>> - Does apache really need write access to both variants? (I doubt.)
>
> John is correct the mod_apparmor does not read from
> @{PROC}/*/attr/current, it only writes to it.
>
>> - What's the difference between both variants?
>
>> Note: My version of abstractions/apache2-common does not allow to read
>> /.htaccess (I changed /**.htaccess -> /**/.htaccess) which slightly
>> reduces permissions for ^HANDLING_UNTRUSTED_INPUT. However I doubt
>> someone has a .htaccess in / ;-)
>>
>> The other changes I did do not remove permissions from the profile in
>> bzr because those permissions didn't exist there - they exist only in
>> the profile and abstractions from darix.
>>
>> I'm also nominating this patch for the 2.7 branch (maybe except
>> disallowing /.htaccess for ^HANDLING_UNTRUSTED_INPUT if you are afraid
>> it breaks some setups)
>
> I have no issue dropping to /**/.htaccess for 2.7 or trunk.
>
> Acked-By: Steve Beattie <sbeattie at ubuntu.com>
>
> ... with some inline comments.
>
> Thanks!
>
>> === modified file 'profiles/apparmor.d/abstractions/apache2-common'
>> --- profiles/apparmor.d/abstractions/apache2-common 2010-01-03 21:16:38 +0000
>> +++ profiles/apparmor.d/abstractions/apache2-common 2011-12-21 23:57:10 +0000
>> @@ -1,9 +1,20 @@
>> # vim:syntax=apparmor
>>
>> +# This file contains basic permissions for Apache and every vHost
>> +
>> + #include <abstractions/nameservice>
>> +
>> # Apache
>> network inet stream,
>> + network inet6 stream,
>
> I'm actually surprised this is needed given the inclusion of
> abstractions/nameservice
>
>> + # apache manual, error pages and icons
>> /usr/share/apache2/** r,
>>
>> # changehat itself
>> /proc/*/attr/current w,
>>
>> + # htaccess files - for what ever it is worth
>> + /**/.htaccess r,
>> +
>> + /dev/urandom r,
>> +
>>
>> === modified file 'profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork'
>> --- profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork 2011-08-08 20:22:03 +0000
>> +++ profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork 2011-12-21 23:58:09 +0000
>> @@ -12,6 +12,7 @@
>> #include <tunables/global>
>>
>> /usr/sbin/httpd2-prefork {
>> + #include <abstractions/apache2-common>
>> #include <abstractions/base>
>> #include <abstractions/consoles>
>> #include <abstractions/kerberosclient>
>> @@ -78,8 +79,6 @@
>> /usr/local/tomcat/conf/mod_jk.conf r,
>> /usr/local/tomcat/conf/workers-ajp12.properties r,
>> /usr/sbin/httpd2-prefork r,
>> - /usr/share/apache2/error/* r,
>> - /usr/share/apache2/error/include/* r,
>> /usr/share/misc/magic.mime r,
>> /usr/share/snmp/mibs r,
>> /usr/share/snmp/mibs/*.{txt,mib} r,
>> @@ -125,21 +124,18 @@
>> /srv/www/icons/*.{gif,jpg,png} r,
>> /srv/www/vhosts r,
>> /srv/www/vhosts/** r,
>> - # SuSE location of the apache manual + error pages
>> - /usr/share/apache2/** r,
>>
>> # php session state
>> /var/lib/php/sess_* rwl,
>>
>>
>> ^HANDLING_UNTRUSTED_INPUT {
>> - #include <abstractions/nameservice>
>> + #include <abstractions/apache2-common>
>
> I recognize you're not adding permissions here so it's not a failing
> of your patch, but I really dislike having abstractions/nameservice
> included within the HANDLING_UNTRUSTED_INPUT hat, because it
> grants access to so much stuff. The HANDLING_UNTRUSTED_INPUT hat is
> intended to be a minimal set of privileges needed while parsing an
> http request. Once it's been parsed, then mod_apparmor is supposed
> to switch to the appropriate hat for the request which may have wider
> privileges (but still a subset of the whole).
>
> (Ideally, some form of privilege separation would get added to apache
> proper.)
>
What do you think about splitting up the nameservice abstraction, and
maybe including some of it? Of course that is really vague as without
knowing how its split its going to be hard to say.
Reworking the abstractions has been a goal for a long time now. Maybe
we should just start cherry picking some and doing it. Hopefully with
the dfa permissions rework that is coming we will finally be able to
hack together a tool to help us in finding and generating abstractions.
>> /var/log/apache2/* w,
>> - /**.htaccess r,
>> }
>>
>> ^DEFAULT_URI {
>> - #include <abstractions/nameservice>
>> + #include <abstractions/apache2-common>
>> #include <abstractions/base>
>>
>> # Note that mod_perl, mod_php, mod_python, etc, allows in-apache
>> @@ -176,8 +172,6 @@
>> /srv/www/icons/*.{gif,jpg,png} r,
>> /srv/www/vhosts r,
>> /srv/www/vhosts/** r,
>> - # SuSE location of the apache manual + error pages
>> - /usr/share/apache2/** r,
>>
>> # php session state
>> /var/lib/php/sess_* rwl,
>>
>
>
>
More information about the AppArmor
mailing list