[apparmor] AppArmor and virtual hosts in Apache

John Johansen john.johansen at canonical.com
Sat Apr 29 01:32:19 UTC 2017


On 04/28/2017 06:02 PM, Seth Arnold wrote:
> On Wed, Apr 26, 2017 at 08:26:10PM +0200, Lentes, Bernd wrote:
>> i'm pretty new to AppArmor and have some basic questions.
>> I have an apache running some virtual hosts. One vhost is accessible
>> from the internet. I'd like to confine that vhost with apparmor.  Does
>> it matter if it is a namebased or ip-based vhost ?
> 
> Hello Bernd, welcome. mod_apparmor for Apache doesn't care about name vs
> ip hosting. However, mod_apparmor can't run the other vhosts in the Apache
> process "unconfined" -- if you're going to confine any of it, you're going
> to confine all of it. The idea with mod_apparmor is that you could be
> broad with some applications and tight with others.
> 
>> I have a SLES 10 SP4 box.
>>
>> I installed apparmor and the module for apache. The module is enabled. I
>> added the following to the conf-file of the vhost:
>>
>> AADefaultHatName genetrap
>>
>> To /etc/apparmor.d/usr.sbin.httpd2-prefork i added the following:
>>
>> /usr/sbin/httpd2-prefork//genetrap flags=(complain) {
>>     #include <abstractions/base>
>>     #include <abstractions/nameservice>
>> }
>> It seems this is the suse way, i also saw subprofiles definitions
>> beginning with an ^ and afterwards just the name of the hat.  Is both
>> correct ?
> 
> This is sorely under-documented but I believe the hats must be named with
> '^' or 'hat' in the files, whether it is of the format:
> 
> /outer/profile/name^hatname { }
> 
> or of the format:
> 
> /outer/profile/name {
>  ...
>  ^hatname { }
>  ...
> }
> 
> The // is usually reserved for child profiles and i'm not sure of the
> consequences of mixing the two formats.
> 

The ^ can only be used to declare define a hat name within a profile, it does
NOT indicate a hat in the larger sense of
  /outer/profile/name ^hatname
which unfortunately is a valid profile name due to the semantics of profile
names that begin with / basically are allowed to have any valid character in
them.

The actual separator for profile then hat is // so
  /outer/profile/name//hatname

This format is NOT used within a profile ie.

profile /outer/profile/name {

  ^hatname { }  # valid hatname
  hat hatnam { }  # valid hatname

  ^/outer/profile/name//hatname {}  # broken and invalid
}

The keyword hat as shown above can be substituted for the ^ to declare a hat.
It is important to note that hats are just a special subprofile that is
tagged to being valid for use with the change_hat() api


Now there is a specially case where hats can be declared external to its
parent profile using the parent_name//hat_name syntax, and
parent_name//hat_name syntax might also be used to profile transitions
but generally you don't have to think about it for apache and mod_apparmor

> 
>> Restarts of apache and apparmor don't complain.
>>
>> Having a look in /var/log/audit/audit.log shows lines like:
>> type=APPARMOR_ALLOWED msg=audit(1493230551.040:17953):  type=1502
>> operation="inode_permission" requested_mask="r" denied_mask="r"
>> name="/usr/share/apache2/error/include/top.html" pid=3405
>> profile="/usr/sbin/httpd2-prefork//genetrap"
>>
>> Does that mean that the profile is running fine ?
> 
> This certainly gives the impression that it's working correctly. Maybe I'm
> wrong.
> 
>> Is the procedure i did correct ?
>> aa-status does not show the subprofile:
>>
>> pc52842:~ # aa-status
>> apparmor module is loaded.
>> 11 profiles are loaded.
>> 10 profiles are in enforce mode.
>>    /usr/sbin/ntpd
>>    /usr/sbin/identd
>>    /sbin/klogd
>>    /sbin/syslogd
>>    /sbin/syslog-ng
>>    /usr/sbin/traceroute
>>    /usr/sbin/nscd
>>    /bin/ping
>>    /usr/sbin/mdnsd
>>    /usr/sbin/named
>> 1 profiles are in complain mode.
>>    /usr/sbin/httpd2-prefork
>> 15 processes have profiles defined.
>> 3 processes are in enforce mode :
>>    /sbin/syslog-ng (3084)
>>    /usr/sbin/nscd (3762)
>>    /sbin/klogd (3087)
>> 12 processes are in complain mode.
>>    /usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3410)
>>    /usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3408)
>>    /usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3030)
>>    /usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3407)
>>    /usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3032)
>>    /usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3031)
>>    /usr/sbin/httpd2-prefork (3028)
>>    /usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (11334)
>>    /usr/sbin/httpd2-prefork (3027)
>>    /usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3029)
>>    /usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3409)
>>    /usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3405)
>> 0 processes are unconfined but have a profile defined.
>>
>> Is that correct ? Is it possible now to have the vhost running for a
>> certain time in complain mode and then use logprof to create a profile
>> just for this one vhost ?
> 
> Ideally yes but this is tricky -- complain mode causes every
> aa_change_hat() to every hat name, known or not, to succeed. This case
> make it more annoying than it should be to use the automatic learning
> tools in complain mode when the application 'probes' multiple hat names,
> as it prevents second or third names in the list from being useful.
> 
> If it were me I'd probably build the profile for this use by hand in
> enforce mode, just to make sure that the hats selected for different URLs
> are what I'd like them to be.
> 
> Thanks
> 
> 
> 




More information about the AppArmor mailing list