[apparmor] AppArmor and virtual hosts in Apache

Tue May 2 09:08:12 UTC 2017

----- On Apr 29, 2017, at 3:32 AM, John Johansen john.johansen at canonical.com wrote:

>> 
>>> I have a SLES 10 SP4 box.
>>>
>>> I installed apparmor and the module for apache. The module is enabled. I
>>> added the following to the conf-file of the vhost:
>>>
>>> AADefaultHatName genetrap
>>>
>>> To /etc/apparmor.d/usr.sbin.httpd2-prefork i added the following:
>>>
>>> /usr/sbin/httpd2-prefork//genetrap flags=(complain) {
>>>     #include <abstractions/base>
>>>     #include <abstractions/nameservice>
>>> }
>>> It seems this is the suse way, i also saw subprofiles definitions
>>> beginning with an ^ and afterwards just the name of the hat.  Is both
>>> correct ?
>> 
>> This is sorely under-documented but I believe the hats must be named with
>> '^' or 'hat' in the files, whether it is of the format:
>> 
>> /outer/profile/name^hatname { }
>> 
>> or of the format:
>> 
>> /outer/profile/name {
>>  ...
>>  ^hatname { }
>>  ...
>> }
>> 
>> The // is usually reserved for child profiles and i'm not sure of the
>> consequences of mixing the two formats.
>> 
> 
> The ^ can only be used to declare define a hat name within a profile, it does
> NOT indicate a hat in the larger sense of
>  /outer/profile/name ^hatname
> which unfortunately is a valid profile name due to the semantics of profile
> names that begin with / basically are allowed to have any valid character in
> them.
> 
> The actual separator for profile then hat is // so
>  /outer/profile/name//hatname
> 
> This format is NOT used within a profile ie.
> 
> profile /outer/profile/name {
> 
>  ^hatname { }  # valid hatname
>  hat hatnam { }  # valid hatname
> 
>  ^/outer/profile/name//hatname {}  # broken and invalid
> }
> 
> The keyword hat as shown above can be substituted for the ^ to declare a hat.
> It is important to note that hats are just a special subprofile that is
> tagged to being valid for use with the change_hat() api
> 
> 
> Now there is a specially case where hats can be declared external to its
> parent profile using the parent_name//hat_name syntax, and
> parent_name//hat_name syntax might also be used to profile transitions
> but generally you don't have to think about it for apache and mod_apparmor
> 

Hi John,

thanks for your answer. I'm confused now.
What should i prefer ?

  /usr/sbin/httpd2-prefork//genetrap flags=(complain) {
...
  }

inside the file for the httpd2-profile, but outside the block for httpd2,
using an own block for the hat ?

Or using ^ to define a subprofile inside the block for the httpd2 process ?

Thanks.

Bernd

Helmholtz Zentrum Muenchen
Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH)
Ingolstaedter Landstr. 1
85764 Neuherberg
www.helmholtz-muenchen.de
Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe
Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Heinrich Bassler, Dr. Alfons Enhsen
Registergericht: Amtsgericht Muenchen HRB 6466
USt-IdNr: DE 129521671