[apparmor] [patch 1/3] profiles: allow apache hats to receive signals from unconfined
Kees Cook
kees at ubuntu.com
Fri Jun 20 16:14:46 UTC 2014
On Wed, Jun 18, 2014 at 05:44:03PM -0700, Steve Beattie wrote:
> Allow apache hats to receive signals from unconfined.
>
> [I'm on the fence about this. On the one hand, unconfined should be able
> to kill thing in hats. On the other, using apache2ctl/apachectl is
> preferred to shutdown apache, and it uses the apache binary itself (and
> the profile it runs under) to kill its children.]
Without this, a sysadmin or automated monitoring tools attempting to send
signals to Apache will fail by default. For example, "pkill -U www-data"
wouldn't work. This is, I think, extremely unexpected.
Also, manipulating the system from "unconfined" has been a long-standing
"not protected" state in AppArmor (e.g. setting up hardlinks that bypass
path rules), so it seems strange to start trying to protect a profile from
"unconfined" only for signals.
-Kees
>
> ---
> profiles/apparmor.d/abstractions/apache2-common | 2 ++
> 1 file changed, 2 insertions(+)
>
> Index: b/profiles/apparmor.d/abstractions/apache2-common
> ===================================================================
> --- a/profiles/apparmor.d/abstractions/apache2-common
> +++ b/profiles/apparmor.d/abstractions/apache2-common
> @@ -4,6 +4,8 @@
>
> #include <abstractions/nameservice>
>
> + # Allow unconfined processes to send us signals by default
> + signal (receive) peer=unconfined,
> # Allow apache to send us signals by default
> signal (receive) peer=/usr/sbin/apache2,
> # Allow us to signal ourselves
>
>
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
--
Kees Cook
More information about the AppArmor
mailing list