[apparmor] [patch 2/4] mod_apparmor: add servername-uri hat

Steve Beattie steve at nxnw.org
Wed Jun 18 21:26:14 UTC 2014 

This patch adds an additional hat to try in the mod_apparmor processing
sequence, constructed from the host's ServerName + '-' + URI
(e.g. 'www.example.com-/some/uri'). This hat is attempted before the raw
URI hat is attempted, leaving the ordering as follows:

  (1) to a hatname in a location/directory directive
  (2) to the server name or a defined per-server default
  (3) to the server name + "-" + uri
  (4) to the uri
  (5) to DEFAULT_URI
  (6) back to the parent profile

Signed-off-by: Steve Beattie <steve at nxnw.org>
---
 changehat/mod_apparmor/mod_apparmor.c   |   15 +++++++++++----
 changehat/mod_apparmor/mod_apparmor.pod |   20 ++++++++++++--------
 2 files changed, 23 insertions(+), 12 deletions(-)

Index: b/changehat/mod_apparmor/mod_apparmor.c
===================================================================
--- a/changehat/mod_apparmor/mod_apparmor.c
+++ b/changehat/mod_apparmor/mod_apparmor.c
@@ -123,9 +123,10 @@ debug_dump_uri(request_rec *r)
    immunix_enter_hat will attempt to change_hat in the following order:
    (1) to a hatname in a location directive
    (2) to the server name or a defined per-server default
-   (3) to the uri
-   (4) to DEFAULT_URI
-   (5) back to the parent profile
+   (3) to the server name + "-" + uri
+   (4) to the uri
+   (5) to DEFAULT_URI
+   (6) back to the parent profile
 */
 static int 
 immunix_enter_hat (request_rec *r)
@@ -135,9 +136,10 @@ immunix_enter_hat (request_rec *r)
     		ap_get_module_config (r->per_dir_config, &apparmor_module);
     immunix_srv_cfg * scfg = (immunix_srv_cfg *) 
     		ap_get_module_config (r->server->module_config, &apparmor_module);
-    const char *aa_hat_array[5] = { NULL, NULL, NULL, NULL, NULL };
+    const char *aa_hat_array[6] = { NULL, NULL, NULL, NULL, NULL, NULL };
     int i = 0;
     char *aa_con, *aa_mode, *aa_hat;
+    const char *vhost_uri;
 
     debug_dump_uri(r);
     ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, "in immunix_enter_hat (%s) n:0x%lx p:0x%lx main:0x%lx",
@@ -177,6 +179,11 @@ immunix_enter_hat (request_rec *r)
 			    r->server->server_hostname);
             aa_hat_array[i++] = r->server->server_hostname;
 	}
+
+	vhost_uri = apr_pstrcat(r->pool, r->server->server_hostname, "-", r->uri, NULL);
+	ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+		      "[vhost+uri] adding vhost+uri '%s' to aa_change_hat vector", vhost_uri);
+	aa_hat_array[i++] = vhost_uri;
     }
 
     ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
Index: b/changehat/mod_apparmor/mod_apparmor.pod
===================================================================
--- a/changehat/mod_apparmor/mod_apparmor.pod
+++ b/changehat/mod_apparmor/mod_apparmor.pod
@@ -42,11 +42,13 @@ apparmor is also functioning.
 Once mod_apparmor is loaded within Apache, all requests to Apache will
 cause mod_apparmor to attempt to change into a hat that matches the
 ServerName for the server/vhost.  If no such hat is found, it will
-first fall back by attempting to change into a hat named by the URI
-(e.g. /app/some.cgi). If that hat is not found, it will fall back to
-attempting to use the hat DEFAULT_URI; if that also does not exist,
-it will fall back to using the global Apache profile. Most static
-web pages can simply make use of the DEFAULT_URI hat.
+first fall back by attempting to change into a hat composed of the
+ServerName-URI (e.g. "www.example.com-/app/some.cgi").  If that hat
+is not found, it will fall back to attempting to use the hat named
+by the URI (e.g. "/app/some.cgi"). If that hat is not found, it will
+fall back to attempting to use the hat DEFAULT_URI; if that also does
+not exist, it will fall back to using the global Apache profile. Most
+static web pages can simply make use of the DEFAULT_URI hat.
 
 Additionally, before any requests come in to Apache, mod_apparmor
 will attempt to change hat into the HANDLING_UNTRUSTED_INPUT hat.
@@ -102,12 +104,14 @@ applies, otherwise it will
 ServerName (the default) or the configuration value specified by the
 AADefaultHatName directive, for the server/vhost, otherwise it will
 
-3. try to aa_change_hat(2) into the URI itself, otherwise it will
+3. try to aa_change_hat(2) into the ServerName-URI, otherwise it will
 
-4. try to aa_change_hat(2) into the DEFAULT_URI hat, if it exists, otherwise it
+4. try to aa_change_hat(2) into the URI itself, otherwise it will
+
+5. try to aa_change_hat(2) into the DEFAULT_URI hat, if it exists, otherwise it
 will
 
-5. fall back to the global Apache policy
+6. fall back to the global Apache policy
 
 =back

More information about the AppArmor mailing list