I noticed it is implementable as a module for httpd-2.2.x, without mpm support. The following code is a proof-of-concept of the new approach.
http://code.google.com/p/sepgsql/source/browse/misc/mod_selinux/mod_selinux.c#312 The selinux_process_connection is a hook of the process_connection which is called for each connection. It forks a one-time worker process and assigns individual security context prior to invocation of handlers. The worker calls ap_run_process_connection() again, however, the selinux_process_connection just returns DECLINED on the worker's context, then the standard routines are executed in worker process. There are no fundamental differences from what I suggested yesterday. If you have any comments, questions, suggestions and others, please feel free to point out. Thanks, KaiGai Kohei wrote: > I filed an entry on the bugzilla: > * Bug 47021 - A new MPM (security) and mod_selinux module > https://issues.apache.org/bugzilla/show_bug.cgi?id=47021 > > It is the first time for me to submit patches in the community, > please tell me if I had something incorrect manner. > > Thanks, > > KaiGai Kohei wrote: >> KaiGai Kohei wrote: >>> Stefan Fritsch wrote: >>>> On Thursday 09 April 2009, Graham Dumpleton wrote: >>>>> Only you would know that. But then, I could be pointing you at the >>>>> wrong MPM. There is from memory another by another name developed >>>>> outside of ASF which intends to do the same think. The way it is >>>>> implemented is probably going to be different and may be the one I >>>>> am actually thinking of. I can't remember the name of it right now. >>>> Maybe you mean MPM itk, which can change to different users for >>>> different vhosts? >>>> >>>> http://mpm-itk.sesse.net/ >>> Thanks for your information. >>> >>> It is designed on the prefork. It makes a child process for each >>> connection to call ap_process_connection() in separated context, >>> and the parent waits for the completion of this. >>> In addition, it assigns configured uid/gid on the header_parser hook, >>> then contents handlers are invoked. >>> >>> It seems to me that we can share its basic idea and design. >>> The mpm-itk also has separatable two functionalities: >>> 1. it makes a process for each connection. >>> 2. it assigns privileges on a process. >>> >>> I believe we are now on the right direction. >> At first, I planed to implement a new mpm from the scratch, but I >> reconsidered it may be a burden for the reviewers, so the attached >> patch is implemented as an enhancement of the latest prefork. >> (I guess it is a preferable manner.) >> >> The first attached patch adds a new "security" mpm which enables to >> launch a new process for each connections, and gives a chance to assign >> appropriate privileges for external modules. The newly spawned process >> is always one-time purpose, because SELinux does not allow to revert >> its privileges. >> >> The second patch is an implementation of the mod_selinux module which >> assigns the working process a security context based on authentication >> process at the fixups hook, prior to invocations of contents handler. >> >> Step to apply the patches: >> % svn co http://svn.apache.org/repos/asf/httpd/httpd/trunk httpd-devel >> % cd httpd-devel >> % mkdir -p server/mpm/security >> % cp -f server/mpm/prefork/prefork.c server/mpm/security >> % cp -f server/mpm/prefork/mpm_default.h server/mpm/security >> % cat ~/apache-httpd-security-mpm.1.patch | patch -p1 >> % cat ~/apache-httpd-mod_selinux.1.patch | patch -p1 >> >> (*) The attached patch contains only differences from the prefork. >> >> I would like to push this kind of features to the upstreamed httpd >> eventually. If you have any suggestion, please feel free to comment. >> >> Thanks, >> > > -- OSS Platform Development Division, NEC KaiGai Kohei <[email protected]>
