[patch 3/3] profiles: apache2 — allow HANDLING_UNTRUSTED_INPUT access to abstractions/base

Steve Beattie steve at nxnw.org
Thu Jun 19 00:44:05 UTC 2014

This patch adds the abstractions/base abstraction to the

[I dislike this because the idea for the HANDLING_UNTRUSTED_INPUT is
that it is to be as minimal as possible, as sort of a poor man's
privilege separation for when apache is parsing a request and
determining what to do with it. The abstractions/base abstraction allows
too much for such a hat IMO. (Honestly, I'd like cut down the existing
allowed accesses in it.)]

 profiles/apparmor.d/usr.sbin.apache2 |    1 +
 1 file changed, 1 insertion(+)

Index: b/profiles/apparmor.d/usr.sbin.apache2
--- a/profiles/apparmor.d/usr.sbin.apache2
+++ b/profiles/apparmor.d/usr.sbin.apache2
@@ -88,6 +88,7 @@
+    #include <abstractions/base>
     #include <abstractions/apache2-common>
     / rw,

More information about the AppArmor mailing list