[apparmor] [patch 1/3] profiles: allow apache hats to receive signals from unconfined
Seth Arnold
seth.arnold at canonical.com
Thu Jun 19 06:35:13 UTC 2014
On Wed, Jun 18, 2014 at 05:44:03PM -0700, Steve Beattie wrote:
> Allow apache hats to receive signals from unconfined.
>
> [I'm on the fence about this. On the one hand, unconfined should be able
> to kill thing in hats. On the other, using apache2ctl/apachectl is
> preferred to shutdown apache, and it uses the apache binary itself (and
> the profile it runs under) to kill its children.]
I could imagine the deployment where enforcing apachectl use would make
sense but there's lots of reasons why someone would send signals to Apache
processes beyond shutting down. I think this patch makes more sense for
more people.
Acked-by: Seth Arnold <seth.arnold at canonical.com>
Thanks
> ---
> profiles/apparmor.d/abstractions/apache2-common | 2 ++
> 1 file changed, 2 insertions(+)
>
> Index: b/profiles/apparmor.d/abstractions/apache2-common
> ===================================================================
> --- a/profiles/apparmor.d/abstractions/apache2-common
> +++ b/profiles/apparmor.d/abstractions/apache2-common
> @@ -4,6 +4,8 @@
>
> #include <abstractions/nameservice>
>
> + # Allow unconfined processes to send us signals by default
> + signal (receive) peer=unconfined,
> # Allow apache to send us signals by default
> signal (receive) peer=/usr/sbin/apache2,
> # Allow us to signal ourselves
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140618/e7cdd2ec/attachment.pgp>
More information about the AppArmor
mailing list