[apparmor] AppArmor and virtual hosts in Apache

Lentes, Bernd bernd.lentes at helmholtz-muenchen.de
Tue May 2 08:58:39 UTC 2017 


----- On Apr 29, 2017, at 3:02 AM, Seth Arnold seth.arnold at canonical.com wrote:

> On Wed, Apr 26, 2017 at 08:26:10PM +0200, Lentes, Bernd wrote:

> 
> Hello Bernd, welcome. mod_apparmor for Apache doesn't care about name vs
> ip hosting. However, mod_apparmor can't run the other vhosts in the Apache
> process "unconfined" -- if you're going to confine any of it, you're going
> to confine all of it. The idea with mod_apparmor is that you could be
> broad with some applications and tight with others.
> 

Why not ? I can provide for each vhost a uniques subprofile.
So the level of confinement for each can be different. Am i wrong ?
Or do you mean that, if i create a subprofile for a dedicated vhost the apache (the "parent" profile) needs to run in
confined mode and that this confined mode is valid for all vhosts ?
Does the subprofile for one vhost influence other vhosts ?
Is it possible to run apache unconfined but the subprofile for a hat confined ?

>> I have a SLES 10 SP4 box.
>> 
>> I installed apparmor and the module for apache. The module is enabled. I
>> added the following to the conf-file of the vhost:
>> 
>> AADefaultHatName genetrap
>> 
>> To /etc/apparmor.d/usr.sbin.httpd2-prefork i added the following:
>> 
>> /usr/sbin/httpd2-prefork//genetrap flags=(complain) {
>>     #include <abstractions/base>
>>     #include <abstractions/nameservice>
>> }
>> It seems this is the suse way, i also saw subprofiles definitions
>> beginning with an ^ and afterwards just the name of the hat.  Is both
>> correct ?
> 
> This is sorely under-documented but I believe the hats must be named with
> '^' or 'hat' in the files, whether it is of the format:
> 
> /outer/profile/name^hatname { }
> 
> or of the format:
> 
> /outer/profile/name {
> ...
> ^hatname { }
> ...
> }
> 
> The // is usually reserved for child profiles and i'm not sure of the
> consequences of mixing the two formats.
> 
> 
>> Restarts of apache and apparmor don't complain.
>> 
>> Having a look in /var/log/audit/audit.log shows lines like:
>> type=APPARMOR_ALLOWED msg=audit(1493230551.040:17953):  type=1502
>> operation="inode_permission" requested_mask="r" denied_mask="r"
>> name="/usr/share/apache2/error/include/top.html" pid=3405
>> profile="/usr/sbin/httpd2-prefork//genetrap"
>> 
>> Does that mean that the profile is running fine ?
> 
> This certainly gives the impression that it's working correctly. Maybe I'm
> wrong.
> 
>> Is the procedure i did correct ?
>> aa-status does not show the subprofile:
>> 
>> pc52842:~ # aa-status
>> apparmor module is loaded.
>> 11 profiles are loaded.
>> 10 profiles are in enforce mode.
>>    /usr/sbin/ntpd
>>    /usr/sbin/identd
>>    /sbin/klogd
>>    /sbin/syslogd
>>    /sbin/syslog-ng
>>    /usr/sbin/traceroute
>>    /usr/sbin/nscd
>>    /bin/ping
>>    /usr/sbin/mdnsd
>>    /usr/sbin/named
>> 1 profiles are in complain mode.
>>    /usr/sbin/httpd2-prefork
>> 15 processes have profiles defined.
>> 3 processes are in enforce mode :
>>    /sbin/syslog-ng (3084)
>>    /usr/sbin/nscd (3762)
>>    /sbin/klogd (3087)
>> 12 processes are in complain mode.
>>    /usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3410)
>>    /usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3408)
>>    /usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3030)
>>    /usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3407)
>>    /usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3032)
>>    /usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3031)
>>    /usr/sbin/httpd2-prefork (3028)
>>    /usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (11334)
>>    /usr/sbin/httpd2-prefork (3027)
>>    /usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3029)
>>    /usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3409)
>>    /usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3405)
>> 0 processes are unconfined but have a profile defined.
>> 
>> Is that correct ? Is it possible now to have the vhost running for a
>> certain time in complain mode and then use logprof to create a profile
>> just for this one vhost ?
> 
> Ideally yes but this is tricky -- complain mode causes every
> aa_change_hat() to every hat name, known or not, to succeed. This case
> make it more annoying than it should be to use the automatic learning
> tools in complain mode when the application 'probes' multiple hat names,
> as it prevents second or third names in the list from being useful.
> 

I realized that. I tried to generate a profile using logrpof, and apparmor wants to create a lot
of hats, which i don't want. Why is apparmor doing that ? It's annoying.
Is there  a way to prevent apparmor from doing that ?


Bernd


Bernd
 

Helmholtz Zentrum Muenchen
Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH)
Ingolstaedter Landstr. 1
85764 Neuherberg
www.helmholtz-muenchen.de
Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe
Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Heinrich Bassler, Dr. Alfons Enhsen
Registergericht: Amtsgericht Muenchen HRB 6466
USt-IdNr: DE 129521671

More information about the AppArmor mailing list