On 12/21/2011 04:17 PM, Christian Boltz wrote:
Hello,
the attached patch splits off various permissions from the httpd2-
prefork profile to abstractions/apache2-common. Additionally, it adds
read permissions for /**/.htaccess and /dev/urandom to apache2-common.
The patch is based on a profile abstraction from darix. I made some
things more strict (compared to darix' profile), and OTOH added some
things that are needed on my servers.
For reference: Darix sent me a file abstractons/apache-vhost-base (note
the different name, I merged into apache2-common).
Original abstractions/apache-vhost-base from darix:
network,
@{PROC}/**/attr/current rw,
# htaccess files - for what ever it is worth
/**.htaccess r,
# error pages
/usr/share/apache2/** r,
BTW: Darix' profile has @{PROC}/**/attr/current rw, however my
experience is I only need @{PROC}/*/attr/current w (no r).
correct. The w permission is needed for change_hat. r is needed
to introspect what the current profile/hat is. I don't think mod_apparmor
does this currently so only w should be required.
I never needed @{PROC}/*/task/*/attr/current.
- Does apache really need write access to both variants? (I doubt.)
Not that I know of, libapparmor only uses the /proc/<pid>/attr/
path
- What's the difference between both variants?
The /proc/<pid>/task/ directory is a set of hardlinks to the tasks that
have been started by this parent process, vs. the flat view of pids in
/proc/<pid>
Note: My version of abstractions/apache2-common does not allow to read
/.htaccess (I changed /**.htaccess -> /**/.htaccess) which slightly
reduces permissions for ^HANDLING_UNTRUSTED_INPUT. However I doubt
someone has a .htaccess in / ;-)
Ugh, tbh I don't even like /**/.htaccess can we perhaps add a tunable for
this, even if the base value used is just /**/
Basically I really don't like letting .htaccess reside just about anywhere,
and maybe a tunable would make this more palatable
The other changes I did do not remove permissions from the profile in
bzr because those permissions didn't exist there - they exist only in
the profile and abstractions from darix.
I'm also nominating this patch for the 2.7 branch (maybe except
disallowing /.htaccess for ^HANDLING_UNTRUSTED_INPUT if you are afraid
it breaks some setups)
Hrmm, I think I am okay with that, sbeattie?
The rest of it looks okay to me
thanks
john
Regards,
Christian Boltz
=== modified file 'profiles/apparmor.d/abstractions/apache2-common'
--- profiles/apparmor.d/abstractions/apache2-common 2010-01-03 21:16:38
+0000
+++ profiles/apparmor.d/abstractions/apache2-common 2011-12-21 23:57:10
+0000
@@ -1,9 +1,20 @@
# vim:syntax=apparmor
+# This file contains basic permissions for Apache and every vHost
+
+ #include <abstractions/nameservice>
+
# Apache
network inet stream,
+ network inet6 stream,
+ # apache manual, error pages and icons
/usr/share/apache2/** r,
# changehat itself
/proc/*/attr/current w,
+ # htaccess files - for what ever it is worth
+ /**/.htaccess r,
+
+ /dev/urandom r,
+
=== modified file 'profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork'
--- profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork 2011-08-08
20:22:03 +0000
+++ profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork 2011-12-21
23:58:09 +0000
@@ -12,6 +12,7 @@
#include <tunables/global>
/usr/sbin/httpd2-prefork {
+ #include <abstractions/apache2-common>
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/kerberosclient>
@@ -78,8 +79,6 @@
/usr/local/tomcat/conf/mod_jk.conf r,
/usr/local/tomcat/conf/workers-ajp12.properties r,
/usr/sbin/httpd2-prefork r,
- /usr/share/apache2/error/* r,
- /usr/share/apache2/error/include/* r,
/usr/share/misc/magic.mime r,
/usr/share/snmp/mibs r,
/usr/share/snmp/mibs/*.{txt,mib} r,
@@ -125,21 +124,18 @@
/srv/www/icons/*.{gif,jpg,png} r,
/srv/www/vhosts r,
/srv/www/vhosts/** r,
- # SuSE location of the apache manual + error pages
- /usr/share/apache2/** r,
# php session state
/var/lib/php/sess_* rwl,
^HANDLING_UNTRUSTED_INPUT {
- #include <abstractions/nameservice>
+ #include <abstractions/apache2-common>
/var/log/apache2/* w,
- /**.htaccess r,
}
^DEFAULT_URI {
- #include <abstractions/nameservice>
+ #include <abstractions/apache2-common>
#include <abstractions/base>
# Note that mod_perl, mod_php, mod_python, etc, allows in-apache
@@ -176,8 +172,6 @@
/srv/www/icons/*.{gif,jpg,png} r,
/srv/www/vhosts r,
/srv/www/vhosts/** r,
- # SuSE location of the apache manual + error pages
- /usr/share/apache2/** r,
# php session state
/var/lib/php/sess_* rwl,
--
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
