Author: Jamie Strandboge <[email protected]> Description: update mod_apparmor man page for Apache 2.4 and add new apparmor.d/usr.sbin.apache2 profile (based on the prefork profile) --- changehat/mod_apparmor/mod_apparmor.pod | 3 profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 | 79 --------------- profiles/apparmor.d/usr.sbin.apache2 | 83 ++++++++++++++++ 3 files changed, 85 insertions(+), 80 deletions(-)
Index: b/changehat/mod_apparmor/mod_apparmor.pod =================================================================== --- a/changehat/mod_apparmor/mod_apparmor.pod +++ b/changehat/mod_apparmor/mod_apparmor.pod @@ -116,7 +116,8 @@ mod_apparmor() currently only supports apache2, and has only been tested with the prefork MPM configuration -- threaded configurations of Apache -may not work correctly. +may not work correctly. For Apache 2.4 users, you should enable the mpm_prefork +module. There are likely other bugs lurking about; if you find any, please report them at L<https://bugs.launchpad.net/apparmor/+filebug>. Index: b/profiles/apparmor.d/usr.sbin.apache2 =================================================================== --- /dev/null +++ b/profiles/apparmor.d/usr.sbin.apache2 @@ -0,0 +1,83 @@ +# Author: Marc Deslauriers <[email protected]> + +#include <tunables/global> +/usr/sbin/apache2 { + + # This profile is completely permissive. + # It is designed to target specific applications using mod_apparmor, + # hats, and the apache2.d directory. + # + # In order to enable this profile, you must: + # + # 1- Enable it: + # sudo aa-enforce /etc/apparmor.d/usr.sbin.apache2 + # + # 2- Load the mpm_prefork and mod_apparmor modules: + # sudo a2dismod <other non-prefork mpm> + # sudo a2enmod mpm_prefork + # sudo a2enmod apparmor + # sudo service apache2 restart + # + # 3- Place an appropriate profile containing the desired hat in the + # /etc/apparmor.d/apache2.d directory. Such profiles should probably + # include the "apache2-common" abstraction. + # + # 4- Use the "AADefaultHatName" apache configuration option to specify a + # hat to be used for a given apache virtualhost or "AAHatName" for + # a given apache directory or location directive. + # + # + # There is an example profile for phpsysinfo included in the + # apparmor-profiles package. To try it: + # + # 1- Install the phpsysinfo and the apparmor-profiles packages: + # sudo apt-get install phpsysinfo apparmor-profiles + # + # 2- Enable the main apache2 profile + # sudo aa-enforce /etc/apparmor.d/usr.sbin.apache2 + # + # 3- Configure apache with the following: + # <Directory /var/www/phpsysinfo/> + # AAHatName phpsysinfo + # </Directory> + # + + #include <abstractions/base> + #include <abstractions/nameservice> + + capability dac_override, + capability kill, + capability net_bind_service, + capability setgid, + capability setuid, + capability sys_tty_config, + + / rw, + /** mrwlkix, + + + ^DEFAULT_URI { + #include <abstractions/base> + #include <abstractions/nameservice> + + / rw, + /** mrwlkix, + + } + + ^HANDLING_UNTRUSTED_INPUT { + #include <abstractions/nameservice> + + / rw, + /** mrwlkix, + + } + + # This directory contains web application + # package-specific apparmor files. + + #include <apache2.d> + + # Site-specific additions and overrides. See local/README for details. + #include <local/usr.sbin.apache2> +} Index: b/profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 =================================================================== --- a/profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 +++ /dev/null @@ -1,79 +0,0 @@ -# Author: Marc Deslauriers <[email protected]> - -#include <tunables/global> -/usr/lib/apache2/mpm-prefork/apache2 { - - # This profile is completely permissive. - # It is designed to target specific applications using mod_apparmor, - # hats, and the apache2.d directory. - # - # In order to enable this profile, you must: - # - # 1- Enable it: - # sudo aa-enforce /etc/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 - # - # 2- Load the mod_apparmor module: - # sudo a2enmod apparmor - # - # 3- Place an appropriate profile containing the desired hat in the - # /etc/apparmor.d/apache2.d directory. Such profiles should probably - # include the "apache2-common" abstraction. - # - # 4- Use the "AADefaultHatName" apache configuration option to specify a - # hat to be used for a given apache virtualhost or "AAHatName" for - # a given apache directory or location directive. - # - # - # There is an example profile for phpsysinfo included in the - # apparmor-profiles package. To try it: - # - # 1- Install the phpsysinfo and the apparmor-profiles packages: - # sudo apt-get install phpsysinfo apparmor-profiles - # - # 2- Enable the main apache2 profile - # sudo aa-enforce /etc/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 - # - # 3- Configure apache with the following: - # <Directory /var/www/phpsysinfo/> - # AAHatName phpsysinfo - # </Directory> - # - - #include <abstractions/base> - #include <abstractions/nameservice> - - capability kill, - capability net_bind_service, - capability setgid, - capability setuid, - capability sys_tty_config, - - / rw, - /** mrwlkix, - - - ^DEFAULT_URI { - #include <abstractions/base> - #include <abstractions/nameservice> - - / rw, - /** mrwlkix, - - } - - ^HANDLING_UNTRUSTED_INPUT { - #include <abstractions/nameservice> - - / rw, - /** mrwlkix, - - } - - # This directory contains web application - # package-specific apparmor files. - - #include <apache2.d> - - # Site-specific additions and overrides. See local/README for details. - #include <local/usr.lib.apache2.mpm-prefork.apache2> -} -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
