[apparmor] [patch 3/3] profiles: apache2 — allow HANDLING_UNTRUSTED_INPUT access to abstractions/base
Kees Cook
kees at ubuntu.com
Fri Jun 20 16:31:36 UTC 2014
On Wed, Jun 18, 2014 at 11:29:31PM -0700, Seth Arnold wrote:
> On Wed, Jun 18, 2014 at 05:44:05PM -0700, Steve Beattie wrote:
> > This patch adds the abstractions/base abstraction to the
> > HANDLING_UNTRUSTED_INPUT apache2 hat.
> >
> > [I dislike this because the idea for the HANDLING_UNTRUSTED_INPUT is
> > that it is to be as minimal as possible, as sort of a poor man's
> > privilege separation for when apache is parsing a request and
> > determining what to do with it. The abstractions/base abstraction allows
> > too much for such a hat IMO. (Honestly, I'd like cut down the existing
> > allowed accesses in it.)]
>
> HANDLING_UNTRUSTED_INPUT has always had some unexpected consequences; I
> love the idea but it just might not work with Apache's reality. Since we
> don't have much chance of fixing reality and changing the module to do
> something else is probably not going to happen soon, we might as well make
> this as painless as possible.
>
> Also, agreed on cutting down on abstractions/base, but I'm so reluctant to
> tighten shipped profiles.
This part is a little weird, actually. So, my bug report didn't entirely
match my patch for HANDLING_UNTRUSTED_INPUT. (In the report I say to add
the signal handling only... but in the patch I end up adding base and
apache2-common.) However, this probably doesn't matter much because the
current default for HANDLING_UNTRUSTED_INPUT is:
/ rw,
/** mrwlkix,
Which is totally crazy if the goal is tight isolation (which I totally
agree with and mentioned in the bug).
I ran out of time trying to further analyze the needs of
HANDLING_UNTRUSTED_INPUT, but it seems that any access needed during
location resolution is needed (e.g. authentication modules), so it may make
sense to extend this with a "local" include. In my case I had to explicitly
allow "/run/saslauthd/mux rw," in apache2-common.
Anyway, I guess my point is, at a minimum, the signal handlers need to be
added, but given the existing totally open permissions, it doesn't
currently hurt to add base.
-Kees
>
> Acked-by: Seth Arnold <seth.arnold at canonical.com>
>
> Thanks
>
> > ---
> > profiles/apparmor.d/usr.sbin.apache2 | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > Index: b/profiles/apparmor.d/usr.sbin.apache2
> > ===================================================================
> > --- a/profiles/apparmor.d/usr.sbin.apache2
> > +++ b/profiles/apparmor.d/usr.sbin.apache2
> > @@ -88,6 +88,7 @@
> > }
> >
> > ^HANDLING_UNTRUSTED_INPUT {
> > + #include <abstractions/base>
> > #include <abstractions/apache2-common>
> >
> > / rw,
> >
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
--
Kees Cook
More information about the AppArmor
mailing list