[apparmor] AppArmor and virtual hosts in Apache

Seth Arnold seth.arnold at canonical.com
Sat Apr 29 01:02:17 UTC 2017 

On Wed, Apr 26, 2017 at 08:26:10PM +0200, Lentes, Bernd wrote:
> i'm pretty new to AppArmor and have some basic questions.
> I have an apache running some virtual hosts. One vhost is accessible
> from the internet. I'd like to confine that vhost with apparmor.  Does
> it matter if it is a namebased or ip-based vhost ?

Hello Bernd, welcome. mod_apparmor for Apache doesn't care about name vs
ip hosting. However, mod_apparmor can't run the other vhosts in the Apache
process "unconfined" -- if you're going to confine any of it, you're going
to confine all of it. The idea with mod_apparmor is that you could be
broad with some applications and tight with others.

> I have a SLES 10 SP4 box.
> 
> I installed apparmor and the module for apache. The module is enabled. I
> added the following to the conf-file of the vhost:
> 
> AADefaultHatName genetrap
> 
> To /etc/apparmor.d/usr.sbin.httpd2-prefork i added the following:
> 
> /usr/sbin/httpd2-prefork//genetrap flags=(complain) {
>     #include <abstractions/base>
>     #include <abstractions/nameservice>
> }
> It seems this is the suse way, i also saw subprofiles definitions
> beginning with an ^ and afterwards just the name of the hat.  Is both
> correct ?

This is sorely under-documented but I believe the hats must be named with
'^' or 'hat' in the files, whether it is of the format:

/outer/profile/name^hatname { }

or of the format:

/outer/profile/name {
 ...
 ^hatname { }
 ...
}

The // is usually reserved for child profiles and i'm not sure of the
consequences of mixing the two formats.


> Restarts of apache and apparmor don't complain.
> 
> Having a look in /var/log/audit/audit.log shows lines like:
> type=APPARMOR_ALLOWED msg=audit(1493230551.040:17953):  type=1502
> operation="inode_permission" requested_mask="r" denied_mask="r"
> name="/usr/share/apache2/error/include/top.html" pid=3405
> profile="/usr/sbin/httpd2-prefork//genetrap"
> 
> Does that mean that the profile is running fine ?

This certainly gives the impression that it's working correctly. Maybe I'm
wrong.

> Is the procedure i did correct ?
> aa-status does not show the subprofile:
> 
> pc52842:~ # aa-status
> apparmor module is loaded.
> 11 profiles are loaded.
> 10 profiles are in enforce mode.
>    /usr/sbin/ntpd
>    /usr/sbin/identd
>    /sbin/klogd
>    /sbin/syslogd
>    /sbin/syslog-ng
>    /usr/sbin/traceroute
>    /usr/sbin/nscd
>    /bin/ping
>    /usr/sbin/mdnsd
>    /usr/sbin/named
> 1 profiles are in complain mode.
>    /usr/sbin/httpd2-prefork
> 15 processes have profiles defined.
> 3 processes are in enforce mode :
>    /sbin/syslog-ng (3084)
>    /usr/sbin/nscd (3762)
>    /sbin/klogd (3087)
> 12 processes are in complain mode.
>    /usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3410)
>    /usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3408)
>    /usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3030)
>    /usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3407)
>    /usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3032)
>    /usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3031)
>    /usr/sbin/httpd2-prefork (3028)
>    /usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (11334)
>    /usr/sbin/httpd2-prefork (3027)
>    /usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3029)
>    /usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3409)
>    /usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3405)
> 0 processes are unconfined but have a profile defined.
> 
> Is that correct ? Is it possible now to have the vhost running for a
> certain time in complain mode and then use logprof to create a profile
> just for this one vhost ?

Ideally yes but this is tricky -- complain mode causes every
aa_change_hat() to every hat name, known or not, to succeed. This case
make it more annoying than it should be to use the automatic learning
tools in complain mode when the application 'probes' multiple hat names,
as it prevents second or third names in the list from being useful.

If it were me I'd probably build the profile for this use by hand in
enforce mode, just to make sure that the hats selected for different URLs
are what I'd like them to be.

Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170428/443a1da4/attachment.pgp>

More information about the AppArmor mailing list