[apparmor] [patch 7/8] mod_apparmor: make the ServerName be the default AADefaultHatName

Steve Beattie steve at nxnw.org
Wed Jan 22 20:47:53 UTC 2014 

This patch makes the default value for AADefaultHatName be the
server/vhost name, which can be specified in apache via the ServerName
configuration declaration. It can be overridden by setting
AADefaultHatName directly. Thus, with this patch applied, the order of
attempted hats will be:

  1. try to aa_change_hat(2) into a matching AAHatName hat if it exists
     and applies, otherwise
  2. try to aa_change_hat(2) into the URI itself, otherwise
  3. try to aa_change_hat(2) into the value of ServerName, unless
     AADefaultHatName has been explicitly set for this server/vhost, in
     which case that value will be used, otherwise
  4. try to aa_change_hat(2) into the DEFAULT_URI hat, if it exists,
     otherwise
  5. fall back to the global Apache policy

This should eliminate the need for most admins to define both
ServerName and AADefaultHatName, unless there's a specific need for
the values to deviate.

Man page documentation is updated as well, though probably more
wordsmithing is needed there for clarity.

Signed-off-by: Steve Beattie <steve at nxnw.org>
---
 changehat/mod_apparmor/mod_apparmor.c   |   24 +++++++++++++++++-------
 changehat/mod_apparmor/mod_apparmor.pod |   28 ++++++++++++++++------------
 2 files changed, 33 insertions(+), 19 deletions(-)

Index: b/changehat/mod_apparmor/mod_apparmor.c
===================================================================
--- a/changehat/mod_apparmor/mod_apparmor.c
+++ b/changehat/mod_apparmor/mod_apparmor.c
@@ -175,13 +175,23 @@ immunix_enter_hat (request_rec *r)
     } else {
     	ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, "scfg is null");
     }
-    if (scfg != NULL && scfg->hat_name != NULL) {
-        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "calling change_hat [scfg] %s", scfg->hat_name);
-        sd_ret = aa_change_hat(scfg->hat_name, magic_token);
-	if (sd_ret < 0) {
-	    aa_change_hat(NULL, magic_token);
-	} else {
-	    return OK;
+    if (scfg != NULL) {
+	if (scfg->hat_name != NULL) {
+            ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "calling change_hat [scfg] %s", scfg->hat_name);
+            sd_ret = aa_change_hat(scfg->hat_name, magic_token);
+	    if (sd_ret < 0) {
+	        aa_change_hat(NULL, magic_token);
+	    } else {
+	        return OK;
+	    }
+        } else {
+            ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "calling change_hat w/server_name %s", r->server->server_hostname);
+            sd_ret = aa_change_hat(r->server->server_hostname, magic_token);
+	    if (sd_ret < 0) {
+	        aa_change_hat(NULL, magic_token);
+	    } else {
+	        return OK;
+	    }
 	}
     }
 
Index: b/changehat/mod_apparmor/mod_apparmor.pod
===================================================================
--- a/changehat/mod_apparmor/mod_apparmor.pod
+++ b/changehat/mod_apparmor/mod_apparmor.pod
@@ -41,10 +41,12 @@ apparmor is also functioning.
 
 Once mod_apparmor is loaded within Apache, all requests to Apache will
 cause mod_apparmor to attempt to change into a hat named by the URI
-(e.g. /app/some.cgi). If no such hat is found, it will fall back to
+(e.g. /app/some.cgi). If no such hat is found, it will first fall
+back by attempting to change into a hat that matches the ServerName
+for the server/vhost. If that hat is not found, it will fall back to
 attempting to use the hat DEFAULT_URI; if that also does not exist,
-it will fall back to using the global Apache profile. Most static web
-pages can simply make use of the DEFAULT_URI hat.
+it will fall back to using the global Apache profile. Most static
+web pages can simply make use of the DEFAULT_URI hat.
 
 Additionally, before any requests come in to Apache, mod_apparmor
 will attempt to change hat into the HANDLING_UNTRUSTED_INPUT hat.
@@ -70,13 +72,14 @@ behavior described above.
 
 =item B<AADefaultHatName>
 
-AADefaultHatName allows you to specify a default hat to be used for
-virtual hosts and other Apache server directives, so that you can have
-different defaults for different virtual hosts. This can be overridden by
-the AAHatName directive and is checked for only if there isn't a matching
-AAHatName or hat named by the URI. If the AADefaultHatName hat does not
-exist, it falls back to the DEFAULT_URI hat if it exists (as described
-above).
+AADefaultHatName allows you to specify a default hat to be used
+for virtual hosts and other Apache server directives, so that you
+can have different defaults for different virtual hosts. This can
+be overridden by the AAHatName directive and is checked for only if
+there isn't a matching AAHatName or hat named by the URI. The default
+value of AADefaultHatName is the ServerName for the server/vhost
+configuration. If the AADefaultHatName hat does not exist, it falls
+back to the DEFAULT_URI hat if it exists (as described above).
 
 =back
 
@@ -98,8 +101,9 @@ applies, otherwise it will
 
 2. try to aa_change_hat(2) into the URI itself, otherwise it will
 
-3. try to aa_change_hat(2) into an AADefaultHatName hat if it has been defined
-for the server/vhost, otherwise it will
+3. try to aa_change_hat(2) into an AADefaultHatName hat, either the
+ServerName (the default) or the configuration value specified by the
+AADefaultHatName directive, for the server/vhost, otherwise it will
 
 4. try to aa_change_hat(2) into the DEFAULT_URI hat, if it exists, otherwise it
 will

More information about the AppArmor mailing list