[apparmor] RFC: Patch [Bug 1207424] Re: mod_apparmor should let me use ServerName as default hat name

Seth Arnold seth.arnold at canonical.com
Sat Aug 10 00:03:22 UTC 2013 

On Fri, Aug 02, 2013 at 01:41:37AM -0700, John Johansen wrote:
> This is a first pass at providing the feature requested in Bug 1207424
> 
> It leverages the appache config option
> 
>   AADefaultHatName
> 
> and when its value is specified as
>   <hostname>
> 
> the hostname will be looked up and used.  Obviously this patch isn't
> complete, but its a first pass and I wanted feedback before I put any
> more work into it.

I don't think this is it; this will use whatever the machine thinks its
hostname is, rather than the virtual host that apache is currently
serving a request for.

It might be "too dynamic", but if we modify immunix_enter_hat() to
follow r->server_rec->server_hostname, I believe that's the data we
need when we need it. Populating the scfg->hat_name with this data might
also work, and be less dynamic (lower overhead) but that'd require more
reading...

Thanks

> ---
> 
> === modified file 'changehat/mod_apparmor/mod_apparmor.c'
> --- changehat/mod_apparmor/mod_apparmor.c	2011-02-08 16:18:36 +0000
> +++ changehat/mod_apparmor/mod_apparmor.c	2013-08-02 08:36:24 +0000
> @@ -48,6 +48,7 @@
>  typedef struct {
>  	const char * hat_name;
>  	int is_initialized;
> +	char hostname[HOST_NAME_MAX + 1];
>  } immunix_srv_cfg;
>  
>  /* immunix_init() gets invoked in the post_config stage of apache.
> @@ -235,6 +236,17 @@
>      			parm1 ? parm1 : "DEFAULT");
>      immunix_srv_cfg * scfg = mconfig;
>      if (parm1 != NULL) {
> +        if (strcmp(parm1, "<hostname>") == 0) {
> +            if (gethostname(scfg->hostname, HOST_NAME_MAX+1)) {
> +                ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
> +			     "AADefaultHatName could not obtain hostname "
> +                             " required by config");
> +		/* TODO: what is the correct behavior for a failure here */
> +    	        scfg->hat_name = "DEFAULT";
> +            } else {
> +                scfg->hat_name = scfg->hostname;
> +            }
> +      } else
>      	scfg->hat_name = parm1;
>      } else {
>      	scfg->hat_name = "DEFAULT";
> 
> 
> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20130809/3375bf40/attachment.pgp>

More information about the AppArmor mailing list