[apparmor] tomcat 8

Me Self wmsopou at gmail.com
Wed Mar 30 12:34:16 UTC 2016 

Here is some additional info from tomcats logs. I should mention the webapp
is running in the ROOT context.


30-Mar-2016 13:28:11.316 SEVERE [localhost-startStop-1]
org.apache.tomcat.util.descriptor.web.S
ecurityConstraint.findUncoveredHttpMethods For security constraints with
URL pattern [/*] only
the HTTP methods [TRACE HEAD DELETE POST GET OPTIONS PUT] are covered. All
other methods are un
covered.
30-Mar-2016 13:28:25.642 SEVERE [http-nio-8080-exec-1]
com.novell.apparmor.catalina.valves.Chan
geHatValve.invoke [APPARMOR] ChangeHat to [/blog/] failed. Running in
parent context.
30-Mar-2016 13:28:26.167 SEVERE [http-nio-8080-exec-2]
com.novell.apparmor.catalina.valves.Chan
geHatValve.invoke [APPARMOR] ChangeHat to
[/resources/css/bootstrap.min.css] failed. Running in
 parent context.
30-Mar-2016 13:28:26.177 SEVERE [http-nio-8080-exec-3]
com.novell.apparmor.catalina.valves.Chan
geHatValve.invoke [APPARMOR] ChangeHat to [/resources/css/blog.css] failed.
Running in parent c
ontext.
30-Mar-2016 13:28:26.178 SEVERE [http-nio-8080-exec-4]
com.novell.apparmor.catalina.valves.Chan
geHatValve.invoke [APPARMOR] ChangeHat to
[/resources/css/font-awesome.min.css] failed. Running
 in parent context.
30-Mar-2016 13:28:35.128 SEVERE [http-nio-8080-exec-6]
com.novell.apparmor.catalina.valves.ChangeHatValve.invoke [APPARMOR]
ChangeHat to [/somepage] failed. Running in parent context.




On Wed, Mar 30, 2016 at 2:23 PM, Me Self <wmsopou at gmail.com> wrote:

> Im trying to profile tomcat 8 but the profile contains less rules than I
> would expect.
>
> This is what I do:
>
> sudo aa-genprof /usr/local/apache-tomcat-8.0.32/bin/catalina.sh
>
> Then start tomcat, load a page, stop tomcat.
>
> Then Scan logfile and allow everything aa-genprof found.
>
> It generates a profile /etc/apparmo.d/
> usr.local.apache-tomcat-8.0.32.bin.catalina.sh with this content:
>
> # Last Modified: Wed Mar 30 14:12:49 2016
> #include <tunables/global>
>
> /usr/local/apache-tomcat-8.0.32/bin/catalina.sh flags=(complain) {
>   #include <abstractions/base>
>
>
>
>   /bin/dash ix,
>   /bin/touch r,
>   /bin/uname rix,
>   /usr/bin/dirname rix,
>   /usr/bin/tty r,
>   /usr/local/apache-tomcat-8.0.32/bin/catalina.sh r,
>   /usr/local/apache-tomcat-8.0.32/bin/setclasspath.sh r,
>   /usr/local/apache-tomcat-8.0.32/bin/setenv.sh r,
>   /usr/local/apache-tomcat-8.0.32/logs/catalina.out w,
>   /usr/local/jdk1.8.0_74/jre/lib/amd64/jvm.cfg r,
>   /usr/local/jdk1.8.0_74/jre/lib/amd64/server/libjvm.so mr,
>   /usr/local/jdk1.8.0_74/lib/amd64/jli/libjli.so mr,
>
>
>   ^DEFAULT flags=(complain) {
>
>
>   }
> }
>
> These rules seem to related to the script itself and not the JVM it's
> spawning. I also tried running aa-complain but it didnt add anything new to
> the profile.
>
> The syslog I see messages such as this (the webapp is ROOT.war). What does
> the /null-50 is the profile attr mean?
>
> [174402.483458] type=1400 audit(1459339942.803:1134393):
> apparmor="ALLOWED" operation="getattr"
> profile="/usr/local/apache-tomcat-8.0.32/bin/catalina.sh//null-50"
> name="/usr/local/apache-tomcat-8.0.32/webapps/ROOT.war" pid=14365
> comm="java" requested_mask="r" denied_mask="r" fsuid=1001 ouid=1001
>
> Also aa-status shows a lot of these "null" profiles:
>
> 46 profiles are in complain mode.
>    <cut>
>    /usr/local/apache-tomcat-8.0.32/bin/catalina.sh
>    /usr/local/apache-tomcat-8.0.32/bin/catalina.sh//DEFAULT
>    /usr/local/apache-tomcat-8.0.32/bin/catalina.sh//null-40
>    /usr/local/apache-tomcat-8.0.32/bin/catalina.sh//null-41
>    /usr/local/apache-tomcat-8.0.32/bin/catalina.sh//null-42
>    /usr/local/apache-tomcat-8.0.32/bin/catalina.sh//null-43
>    /usr/local/apache-tomcat-8.0.32/bin/catalina.sh//null-44
>    /usr/local/apache-tomcat-8.0.32/bin/catalina.sh//null-44//null-45
>    /usr/local/apache-tomcat-8.0.32/bin/catalina.sh//null-44//null-46
>    /usr/local/apache-tomcat-8.0.32/bin/catalina.sh//null-44//null-47
>    /usr/local/apache-tomcat-8.0.32/bin/catalina.sh//null-48
>    /usr/local/apache-tomcat-8.0.32/bin/catalina.sh//null-49
>    /usr/local/apache-tomcat-8.0.32/bin/catalina.sh//null-4a
>    /usr/local/apache-tomcat-8.0.32/bin/catalina.sh//null-4b
>    /usr/local/apache-tomcat-8.0.32/bin/catalina.sh//null-4c
>    /usr/local/apache-tomcat-8.0.32/bin/catalina.sh//null-4d
>    /usr/local/apache-tomcat-8.0.32/bin/catalina.sh//null-4e
>    /usr/local/apache-tomcat-8.0.32/bin/catalina.sh//null-4f
>    /usr/local/apache-tomcat-8.0.32/bin/catalina.sh//null-50
>    /usr/local/apache-tomcat-8.0.32/bin/catalina.sh//null-50//null-51
>    /usr/local/apache-tomcat-8.0.32/bin/catalina.sh//null-50//null-52
>    /usr/local/apache-tomcat-8.0.32/bin/catalina.sh//null-50//null-53
>    /usr/local/apache-tomcat-8.0.32/bin/catalina.sh//null-50//null-54
>
> I set the changehat to switch profile on servletpath in server.xml:
>
>       <Host name="localhost"  appBase="webapps"
>             unpackWARs="true" autoDeploy="true">
>
>         <Valve
> className="com.novell.apparmor.catalina.valves.ChangeHatValve"
>              mediationType="ServletPath"/>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160330/93f3fdd4/attachment.html>

More information about the AppArmor mailing list