[apparmor] [patch 3/3] profiles: apache2 — allow HANDLING_UNTRUSTED_INPUT access to abstractions/base

Steve Beattie steve at nxnw.org
Mon Jun 23 22:52:53 UTC 2014

On Fri, Jun 20, 2014 at 09:31:36AM -0700, Kees Cook wrote:
> On Wed, Jun 18, 2014 at 11:29:31PM -0700, Seth Arnold wrote:
> > On Wed, Jun 18, 2014 at 05:44:05PM -0700, Steve Beattie wrote:
> > > This patch adds the abstractions/base abstraction to the
> > > 
> > > [I dislike this because the idea for the HANDLING_UNTRUSTED_INPUT is
> > > that it is to be as minimal as possible, as sort of a poor man's
> > > privilege separation for when apache is parsing a request and
> > > determining what to do with it. The abstractions/base abstraction allows
> > > too much for such a hat IMO. (Honestly, I'd like cut down the existing
> > > allowed accesses in it.)]
> > 
> > HANDLING_UNTRUSTED_INPUT has always had some unexpected consequences; I
> > love the idea but it just might not work with Apache's reality. Since we
> > don't have much chance of fixing reality and changing the module to do
> > something else is probably not going to happen soon, we might as well make
> > this as painless as possible.
> > 
> > Also, agreed on cutting down on abstractions/base, but I'm so reluctant to
> > tighten shipped profiles.
> This part is a little weird, actually. So, my bug report didn't entirely
> match my patch for HANDLING_UNTRUSTED_INPUT. (In the report I say to add
> the signal handling only... but in the patch I end up adding base and
> apache2-common.) However, this probably doesn't matter much because the
> current default for HANDLING_UNTRUSTED_INPUT is:
>      / rw,
>      /** mrwlkix,
> Which is totally crazy if the goal is tight isolation (which I totally
> agree with and mentioned in the bug).

I realize I was unclear in my initial posting, but I meant cutting down
the accesses in HANDLING_UNTRUSTED_INPUT, not abstractions/base, though
in truth it could use a good review, too.

> I ran out of time trying to further analyze the needs of
> HANDLING_UNTRUSTED_INPUT, but it seems that any access needed during
> location resolution is needed (e.g. authentication modules), so it may make
> sense to extend this with a "local" include. In my case I had to explicitly
> allow "/run/saslauthd/mux rw," in apache2-common.

Looking over the 2.2->2,4 api changes for http_request [1] it seems
I missed the note about ap_hook_access_checker() being deprecated
and that ap_hook_check_access_ex()[2] and ap_hook_check_access()[3]
are the new hooks to use.

This can be seen by enabling mod_info and examining where mod_apparmor
ends up:

  Check Access:
	20 mod_authz_core.c
  Check Access (legacy):
        00 mod_apparmor.c
        10 mod_access_compat.c

If we register with ap_hook_check_access_ex(), the ordering looks like:

  Check Access:
	00 mod_apparmor.c
	20 mod_authz_core.c
  Check Access (legacy):
	10 mod_access_compat.c

(Registering with ap_hook_check_access() leaves us with the same
sequence as registering with ap_hook_access_checker().)

Kees, Christian, can you test one of the attached patches and
see if this reduces the amount of stuff that needs to show up in
HANDLING_UNTRUSTED_INPUT? The patches are on top of the previous
patches I've sent to the list, reordering the hat sequence, and for
the patch against trunk, after the cleanup patches.

Also, if you could enable mod_info[4] and report to me (privately,
if preferred) the output for your configurations so that I can have an
idea what the ordering looks like, that might help me diagnose things.

[1] http://httpd.apache.org/docs/2.4/developer/new_api_2_4.html#http_request
[2] http://ci.apache.org/projects/httpd/trunk/doxygen/group__APACHE__CORE__REQ.html#ga2a9dc3af1fbed52e36fc9e9386e4f919
[3] http://ci.apache.org/projects/httpd/trunk/doxygen/group__APACHE__CORE__REQ.html#ga342d354cf3541a6251d12eee6e9fe0c8
[4] http://httpd.apache.org/docs/2.4/mod/mod_info.html

Steve Beattie
<sbeattie at ubuntu.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mod_apparmor-new-2.4-access-check.patch
Type: text/x-diff
Size: 1240 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140623/470d6922/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mod_apparmor-2.8-new-2.4-access-check.patch
Type: text/x-diff
Size: 1288 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140623/470d6922/attachment-0001.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140623/470d6922/attachment.pgp>

More information about the AppArmor mailing list