[patch 3/3] profiles: apache2 — allow HANDLING_UNTRUSTED_INPUT access to abstractions/base
Steve Beattie
steve at nxnw.org
Thu Jun 19 00:44:05 UTC 2014
This patch adds the abstractions/base abstraction to the
HANDLING_UNTRUSTED_INPUT apache2 hat.
[I dislike this because the idea for the HANDLING_UNTRUSTED_INPUT is
that it is to be as minimal as possible, as sort of a poor man's
privilege separation for when apache is parsing a request and
determining what to do with it. The abstractions/base abstraction allows
too much for such a hat IMO. (Honestly, I'd like cut down the existing
allowed accesses in it.)]
---
profiles/apparmor.d/usr.sbin.apache2 | 1 +
1 file changed, 1 insertion(+)
Index: b/profiles/apparmor.d/usr.sbin.apache2
===================================================================
--- a/profiles/apparmor.d/usr.sbin.apache2
+++ b/profiles/apparmor.d/usr.sbin.apache2
@@ -88,6 +88,7 @@
}
^HANDLING_UNTRUSTED_INPUT {
+ #include <abstractions/base>
#include <abstractions/apache2-common>
/ rw,
More information about the AppArmor
mailing list