[apparmor] AppArmor and virtual hosts in Apache
John Johansen
john.johansen at canonical.com
Tue May 2 10:15:31 UTC 2017
On 05/02/2017 02:08 AM, Lentes, Bernd wrote:
>
>
> ----- On Apr 29, 2017, at 3:32 AM, John Johansen john.johansen at canonical.com wrote:
>
>>>
>>>> I have a SLES 10 SP4 box.
>>>>
>>>> I installed apparmor and the module for apache. The module is enabled. I
>>>> added the following to the conf-file of the vhost:
>>>>
>>>> AADefaultHatName genetrap
>>>>
>>>> To /etc/apparmor.d/usr.sbin.httpd2-prefork i added the following:
>>>>
>>>> /usr/sbin/httpd2-prefork//genetrap flags=(complain) {
>>>> #include <abstractions/base>
>>>> #include <abstractions/nameservice>
>>>> }
>>>> It seems this is the suse way, i also saw subprofiles definitions
>>>> beginning with an ^ and afterwards just the name of the hat. Is both
>>>> correct ?
>>>
>>> This is sorely under-documented but I believe the hats must be named with
>>> '^' or 'hat' in the files, whether it is of the format:
>>>
>>> /outer/profile/name^hatname { }
>>>
>>> or of the format:
>>>
>>> /outer/profile/name {
>>> ...
>>> ^hatname { }
>>> ...
>>> }
>>>
>>> The // is usually reserved for child profiles and i'm not sure of the
>>> consequences of mixing the two formats.
>>>
>>
>> The ^ can only be used to declare define a hat name within a profile, it does
>> NOT indicate a hat in the larger sense of
>> /outer/profile/name ^hatname
>> which unfortunately is a valid profile name due to the semantics of profile
>> names that begin with / basically are allowed to have any valid character in
>> them.
>>
>> The actual separator for profile then hat is // so
>> /outer/profile/name//hatname
>>
>> This format is NOT used within a profile ie.
>>
>> profile /outer/profile/name {
>>
>> ^hatname { } # valid hatname
>> hat hatnam { } # valid hatname
>>
>> ^/outer/profile/name//hatname {} # broken and invalid
>> }
>>
>> The keyword hat as shown above can be substituted for the ^ to declare a hat.
>> It is important to note that hats are just a special subprofile that is
>> tagged to being valid for use with the change_hat() api
>>
>>
>> Now there is a specially case where hats can be declared external to its
>> parent profile using the parent_name//hat_name syntax, and
>> parent_name//hat_name syntax might also be used to profile transitions
>> but generally you don't have to think about it for apache and mod_apparmor
>>
>
> Hi John,
>
> thanks for your answer. I'm confused now.
> What should i prefer ?
>
> /usr/sbin/httpd2-prefork//genetrap flags=(complain) {
> ...
> }
>
> inside the file for the httpd2-profile, but outside the block for httpd2,
> using an own block for the hat ?
>
> Or using ^ to define a subprofile inside the block for the httpd2 process ?
>
go with ^ inside the profile block. I don't believe the other format is
supported within the tools. What it allows for is separating hats out
into separate files, to work better with the file based caching system.
However unless you are seeing significant compile/load time problems
it is not worth resorting to.
> Thanks.
>
>
> Bernd
>
>
> Helmholtz Zentrum Muenchen
> Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH)
> Ingolstaedter Landstr. 1
> 85764 Neuherberg
> www.helmholtz-muenchen.de
> Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe
> Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Heinrich Bassler, Dr. Alfons Enhsen
> Registergericht: Amtsgericht Muenchen HRB 6466
> USt-IdNr: DE 129521671
>
>
More information about the AppArmor
mailing list