[apparmor] [patch 3/3] profiles: apache2 — allow HANDLING_UNTRUSTED_INPUT access to abstractions/base

Christian Boltz apparmor at cboltz.de
Fri Jun 20 19:34:14 UTC 2014


Am Freitag, 20. Juni 2014 schrieb Kees Cook:
> On Wed, Jun 18, 2014 at 11:29:31PM -0700, Seth Arnold wrote:
> > HANDLING_UNTRUSTED_INPUT has always had some unexpected
> > consequences; I love the idea but it just might not work with
> > Apache's reality. 

Oh yes, there are some funny[tm] things happening in 

> [...] However, this probably doesn't
> matter much because the current default for HANDLING_UNTRUSTED_INPUT
> is:
>      / rw,
>      /** mrwlkix,
> Which is totally crazy if the goal is tight isolation (which I totally
> agree with and mentioned in the bug).
> I ran out of time trying to further analyze the needs of
> HANDLING_UNTRUSTED_INPUT, but it seems that any access needed during
> location resolution is needed (e.g. authentication modules), so it may
> make sense to extend this with a "local" include. In my case I had to
> explicitly allow "/run/saslauthd/mux rw," in apache2-common.

Interesting... - and yes, this sounds like a local/ include would make 

Here's what I'm using in my /usr/sbin/httpd2-prefork profile on 

  ^HANDLING_UNTRUSTED_INPUT flags=(complain) {
    #include <abstractions/nameservice>

    /**.htaccess r,  # hmm, I should change that to /**/.htaccess
    audit /home/www/*/statistics/logs/access_log w,
    audit /home/www/*/statistics/logs/error_log w,
    /home/www/all/global/htaccess-realurl-staticfilecache r,  # (1)
    /home/www/example.com/httpdocs/images/thumbs/various_images.jpg r,
    /proc/*/attr/current w,
    /var/log/apache2/access_log w,
    /var/log/apache2/error_log w,
    /var/log/apache2/error_log-20[01][0-9][01][0-9][0-3][0-9] w,
    /var/log/apache2/ssl_request_log w,


To sum it up:
- abstractions/nameservice (sorry, I don't remember the details what 
  exactly is needed)
- .htaccess files
  Note: "(1)" is used as .htaccess via symlink
- /proc/*/attr/current w, to change to other hats
- write access to the global apache logs (including files that were 
  renamed by logrotate while apache was not restarted yet)
- spurious write access to a random vhost's logs
- spurious read access to random vhost's files
  Note: from what I've seen, this happens only for static content 
  (pictures, CSS, HTML, JS etc.). On the positive side, I've never seen 
  Using "EnableSendfile Off" helped to let this happen "only" rarely,
  but it still happens.

The interesting task is hunting down why the "spurious" things happen. 
Steve already did some debugging with me, but we didn't find an 
explanation yet. I'm sure Steve will pay you a drink when you find the 
reason why these spurious access to vhost's logs and static files happen 

BTW: IIRC sometimes I have 3 or 5 HANDLING_UNTRUSTED_INPUT events in the 
log within a second, and then nothing in the next hour. (I can check 
fresh logs if you think this detail could be relevant.)

Anyway, even while allowing the spurious things, we could reduce
  /** mrwlkix,
to something like
  /** r,
  /**log* rw,

> Anyway, I guess my point is, at a minimum, the signal handlers need to
> be added, but given the existing totally open permissions, it doesn't
> currently hurt to add base.

Hmm, abstractions/base in bzr doesn't seem to contain any signal rule 
(only usr.sbin.apache2 and abstractions/apache2-common contain signal 

Is this an Ubuntu patch that was not commited to bzr yet?


Christian Boltz
<dragotin> where is that lazy chicken btw?
<suseROCKs> Ouch!
<dragotin> oh - code of conduct violated?
<dragotin> "It is not allowed to call henne a lazy chicken!"
<suseROCKs> revised last week:  It is required to call him that
[from #opensuse-project]

More information about the AppArmor mailing list