[apparmor] AppArmor and virtual hosts in Apache

[Seth Arnold]

On Wed, May 03, 2017 at 01:14:08PM +0200, Lentes, Bernd wrote:
> I'm astonished that the topic vhosts/hats is so complicated. I read some
> articels from german computer magazines about apparmor, and the tenor
> was always "it's pretty easy".

Hello Bernd,

Simple uses of AppArmor are relatively easy, as you've seen reported. But
confining different portions of a program with different permissions
is more complicated and most of the time the person writing the
profile must know how the internals of the program work. (Which
is why aa-logprof creates a bunch of hats for apache by default --
/etc/apparmor/logprof.conf describes a few change_hat-enabled applications
and what hats those modifications require.)

> What are big companies running a lot of vhosts doing ? Not using apparmor ?

The hosters that we've heard of that use hats for their vhosts generate
all the hats nearly identically via a script. They allow their users
access to expected files and little else.

Another choice is to simply confine the whole webserver with one profile
and not attempt to subdivide it further.

Another choice is to run different webservers for different applications
and use a proxy in front of the server to give the impression that they're
all running in the same server.

I hope this helps.

Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170503/608c2b2b/attachment.pgp>