[apparmor] [Bug 1014298] Re: script to add a hat to a profile

Lutz-Peter Hooge 1014298 at bugs.launchpad.net
Sun Jun 17 19:04:09 UTC 2012

Here is my solution, not a general tool for adding hats to profiles, but
specifically for generating hats from apache-vhosts and also adding
small config snippets that can be included in the corresponding vhosts.

php-cli is needed for the script, but if you need this you probably have
that installed anyway

** Attachment added: "hat-from-vhost-creation-script"

You received this bug notification because you are a member of AppArmor
Developers, which is the registrant for AppArmor.

  script to add a hat to a profile

Status in AppArmor Linux application security framework:

Bug description:
  I'm using a script to add hats for each vhost in my apache profile
  (attached for reference).

  This works, but it uses some ugly sed tricks (for example, it removes
  ^}$ from the profile) to work. This also means that it might break a
  manually edited profile if someone removed the whitespace in front of
  } of a hat.

  It would be much better to have an aa-addhat script that can add a hat
  with a given ruleset to a profile and "understands" the profile
  language (like logprof/genprof do) so that it doesn't need to do sed
  tricks ;-)

  The syntax {c,sh}ould be something like

  aa-addhat /usr/sbin/httpd2-prefork vhost_foo " #include <abstractions/vhost_foo>
      /home/www/foo/httpdocs/uploads/** rw,"

  (yes, the last parameter can be multiline)

To manage notifications about this bug go to:

More information about the AppArmor mailing list