[apparmor] AppArmor and virtual hosts in Apache

Wed Apr 26 18:26:10 UTC 2017

Hi,

i'm pretty new to AppArmor and have some basic questions.
I have an apache running some virtual hosts. One vhost is accessible from the internet. I'd like to confine that vhost with apparmor.
Does it matter if it is a namebased or ip-based vhost ?

I have a SLES 10 SP4 box.

I installed apparmor and the module for apache. The module is enabled. I added the following to the conf-file of the vhost:

AADefaultHatName genetrap

To /etc/apparmor.d/usr.sbin.httpd2-prefork i added the following:

/usr/sbin/httpd2-prefork//genetrap flags=(complain) {
    #include <abstractions/base>
    #include <abstractions/nameservice>
}
It seems this is the suse way, i also saw subprofiles definitions beginning with an ^ and afterwards just the name of the hat.
Is both correct ?

Restarts of apache and apparmor don't complain.

Having a look in /var/log/audit/audit.log shows lines like:
type=APPARMOR_ALLOWED msg=audit(1493230551.040:17953):  type=1502 operation="inode_permission" requested_mask="r" denied_mask="r" name="/usr/share/apache2/error/include/top.html" pid=3405 profile="/usr/sbin/httpd2-prefork//genetrap"

Does that mean that the profile is running fine ?

Is the procedure i did correct ?
aa-status does not show the subprofile:

pc52842:~ # aa-status
apparmor module is loaded.
11 profiles are loaded.
10 profiles are in enforce mode.
   /usr/sbin/ntpd
   /usr/sbin/identd
   /sbin/klogd
   /sbin/syslogd
   /sbin/syslog-ng
   /usr/sbin/traceroute
   /usr/sbin/nscd
   /bin/ping
   /usr/sbin/mdnsd
   /usr/sbin/named
1 profiles are in complain mode.
   /usr/sbin/httpd2-prefork
15 processes have profiles defined.
3 processes are in enforce mode :
   /sbin/syslog-ng (3084)
   /usr/sbin/nscd (3762)
   /sbin/klogd (3087)
12 processes are in complain mode.
   /usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3410)
   /usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3408)
   /usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3030)
   /usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3407)
   /usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3032)
   /usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3031)
   /usr/sbin/httpd2-prefork (3028)
   /usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (11334)
   /usr/sbin/httpd2-prefork (3027)
   /usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3029)
   /usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3409)
   /usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3405)
0 processes are unconfined but have a profile defined.

Is that correct ? Is it possible now to have the vhost running for a certain time in complain mode and then 
use logprof to create a profile just for this one vhost ?

Thanks.

Bernd

-- 
Bernd Lentes 

Systemadministration 
institute of developmental genetics 
Gebäude 35.34 - Raum 208 
HelmholtzZentrum München 
bernd.lentes at helmholtz-muenchen.de 
phone: +49 (0)89 3187 1241 
fax: +49 (0)89 3187 2294 

Erst wenn man sich auf etwas festlegt kann man Unrecht haben 
Scott Adams

Helmholtz Zentrum Muenchen
Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH)
Ingolstaedter Landstr. 1
85764 Neuherberg
www.helmholtz-muenchen.de
Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe
Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Heinrich Bassler, Dr. Alfons Enhsen
Registergericht: Amtsgericht Muenchen HRB 6466
USt-IdNr: DE 129521671