[apparmor] AppArmor and virtual hosts in Apache
Lentes, Bernd
bernd.lentes at helmholtz-muenchen.de
Tue May 2 08:58:39 UTC 2017
----- On Apr 29, 2017, at 3:02 AM, Seth Arnold seth.arnold at canonical.com wrote:
> On Wed, Apr 26, 2017 at 08:26:10PM +0200, Lentes, Bernd wrote:
>
> Hello Bernd, welcome. mod_apparmor for Apache doesn't care about name vs
> ip hosting. However, mod_apparmor can't run the other vhosts in the Apache
> process "unconfined" -- if you're going to confine any of it, you're going
> to confine all of it. The idea with mod_apparmor is that you could be
> broad with some applications and tight with others.
>
Why not ? I can provide for each vhost a uniques subprofile.
So the level of confinement for each can be different. Am i wrong ?
Or do you mean that, if i create a subprofile for a dedicated vhost the apache (the "parent" profile) needs to run in
confined mode and that this confined mode is valid for all vhosts ?
Does the subprofile for one vhost influence other vhosts ?
Is it possible to run apache unconfined but the subprofile for a hat confined ?
>> I have a SLES 10 SP4 box.
>>
>> I installed apparmor and the module for apache. The module is enabled. I
>> added the following to the conf-file of the vhost:
>>
>> AADefaultHatName genetrap
>>
>> To /etc/apparmor.d/usr.sbin.httpd2-prefork i added the following:
>>
>> /usr/sbin/httpd2-prefork//genetrap flags=(complain) {
>> #include <abstractions/base>
>> #include <abstractions/nameservice>
>> }
>> It seems this is the suse way, i also saw subprofiles definitions
>> beginning with an ^ and afterwards just the name of the hat. Is both
>> correct ?
>
> This is sorely under-documented but I believe the hats must be named with
> '^' or 'hat' in the files, whether it is of the format:
>
> /outer/profile/name^hatname { }
>
> or of the format:
>
> /outer/profile/name {
> ...
> ^hatname { }
> ...
> }
>
> The // is usually reserved for child profiles and i'm not sure of the
> consequences of mixing the two formats.
>
>
>> Restarts of apache and apparmor don't complain.
>>
>> Having a look in /var/log/audit/audit.log shows lines like:
>> type=APPARMOR_ALLOWED msg=audit(1493230551.040:17953): type=1502
>> operation="inode_permission" requested_mask="r" denied_mask="r"
>> name="/usr/share/apache2/error/include/top.html" pid=3405
>> profile="/usr/sbin/httpd2-prefork//genetrap"
>>
>> Does that mean that the profile is running fine ?
>
> This certainly gives the impression that it's working correctly. Maybe I'm
> wrong.
>
>> Is the procedure i did correct ?
>> aa-status does not show the subprofile:
>>
>> pc52842:~ # aa-status
>> apparmor module is loaded.
>> 11 profiles are loaded.
>> 10 profiles are in enforce mode.
>> /usr/sbin/ntpd
>> /usr/sbin/identd
>> /sbin/klogd
>> /sbin/syslogd
>> /sbin/syslog-ng
>> /usr/sbin/traceroute
>> /usr/sbin/nscd
>> /bin/ping
>> /usr/sbin/mdnsd
>> /usr/sbin/named
>> 1 profiles are in complain mode.
>> /usr/sbin/httpd2-prefork
>> 15 processes have profiles defined.
>> 3 processes are in enforce mode :
>> /sbin/syslog-ng (3084)
>> /usr/sbin/nscd (3762)
>> /sbin/klogd (3087)
>> 12 processes are in complain mode.
>> /usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3410)
>> /usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3408)
>> /usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3030)
>> /usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3407)
>> /usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3032)
>> /usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3031)
>> /usr/sbin/httpd2-prefork (3028)
>> /usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (11334)
>> /usr/sbin/httpd2-prefork (3027)
>> /usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3029)
>> /usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3409)
>> /usr/sbin/httpd2-prefork^HANDLING_UNTRUSTED_INPUT (3405)
>> 0 processes are unconfined but have a profile defined.
>>
>> Is that correct ? Is it possible now to have the vhost running for a
>> certain time in complain mode and then use logprof to create a profile
>> just for this one vhost ?
>
> Ideally yes but this is tricky -- complain mode causes every
> aa_change_hat() to every hat name, known or not, to succeed. This case
> make it more annoying than it should be to use the automatic learning
> tools in complain mode when the application 'probes' multiple hat names,
> as it prevents second or third names in the list from being useful.
>
I realized that. I tried to generate a profile using logrpof, and apparmor wants to create a lot
of hats, which i don't want. Why is apparmor doing that ? It's annoying.
Is there a way to prevent apparmor from doing that ?
Bernd
Bernd
Helmholtz Zentrum Muenchen
Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH)
Ingolstaedter Landstr. 1
85764 Neuherberg
www.helmholtz-muenchen.de
Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe
Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Heinrich Bassler, Dr. Alfons Enhsen
Registergericht: Amtsgericht Muenchen HRB 6466
USt-IdNr: DE 129521671
More information about the AppArmor
mailing list