2010-12-20 08:35:00 -06:00
|
|
|
# This publication is intellectual property of Novell Inc. and Canonical
|
|
|
|
|
# Ltd. Its contents can be duplicated, either in part or in whole, provided
|
|
|
|
|
# that a copyright label is visibly located on each copy.
|
2006-04-11 21:52:54 +00:00
|
|
|
#
|
|
|
|
|
# All information found in this book has been compiled with utmost
|
|
|
|
|
# attention to detail. However, this does not guarantee complete accuracy.
|
2010-12-20 08:35:00 -06:00
|
|
|
# Neither SUSE LINUX GmbH, Canonical Ltd, the authors, nor the translators
|
|
|
|
|
# shall be held liable for possible errors or the consequences thereof.
|
2006-04-11 21:52:54 +00:00
|
|
|
#
|
|
|
|
|
# Many of the software and hardware descriptions cited in this book
|
|
|
|
|
# are registered trademarks. All trade names are subject to copyright
|
|
|
|
|
# restrictions and may be registered trade marks. SUSE LINUX GmbH
|
2010-12-20 08:35:00 -06:00
|
|
|
# and Canonical Ltd. essentially adhere to the manufacturer's spelling.
|
2006-04-11 21:52:54 +00:00
|
|
|
#
|
|
|
|
|
# Names of products and trademarks appearing in this book (with or without
|
|
|
|
|
# specific notation) are likewise subject to trademark and trade protection
|
|
|
|
|
# laws and may thus fall under copyright restrictions.
|
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
=pod
|
|
|
|
|
|
|
|
|
|
=head1 NAME
|
|
|
|
|
|
2010-12-20 13:45:56 -06:00
|
|
|
mod_apparmor - fine-grained AppArmor confinement for Apache
|
2006-04-11 21:52:54 +00:00
|
|
|
|
|
|
|
|
=head1 DESCRIPTION
|
|
|
|
|
|
|
|
|
|
An AppArmor profile applies to an executable program; if a portion of
|
|
|
|
|
the program needs different access permissions than other portions,
|
2010-12-20 13:47:09 -06:00
|
|
|
the program can "change hats" via aa_change_hat(2) to a different role,
|
2010-12-20 13:45:56 -06:00
|
|
|
also known as a subprofile. The mod_apparmor Apache module uses the
|
2010-12-20 13:47:09 -06:00
|
|
|
aa_change_hat(2) mechanism to offer more fine-grained confinement of dynamic
|
2010-12-20 13:45:56 -06:00
|
|
|
elements within Apache such as individual php and perl scripts, while
|
2006-04-11 21:52:54 +00:00
|
|
|
still allowing the performance benefits of using mod_php and mod_perl.
|
|
|
|
|
|
2010-12-20 13:45:56 -06:00
|
|
|
To use mod_apparmor with Apache, ensure that mod_apparmor is configured to
|
|
|
|
|
be loaded into Apache, either via a2enmod, yast or manual editing of the
|
|
|
|
|
apache2(8)/httpd(8) configuration files, and restart Apache. Make sure that
|
2010-12-20 08:35:00 -06:00
|
|
|
apparmor is also functioning.
|
2006-04-11 21:52:54 +00:00
|
|
|
|
2010-12-20 13:45:56 -06:00
|
|
|
Once mod_apparmor is loaded within Apache, all requests to Apache will
|
mod_apparmor: try uri hat after AADefaultHatName, not before
In trunk revno 2335, a bug was fixed in mod_apparmor that corrected
the storage location for AADefaultHatName. The incorrect storage
caused the hat specified by the AADefaultHatName keyword to be the
default value for AAHatName, and meant that if both an AAHatName and
an AADefaultHatName entry were given in a vhost, mod_apparmor would
not fall back to trying AADefaultHatName if the hat specified in
AAHatName did not exist in the apache apparmor profile.
However, because the value specified in AADefaultHatName was the
default, if no AAHatName was specified, it would be attempted first,
before a hat based on the passed URI, rather than after as the
documentation stated and the code intended. By fixing the storage bug,
the attempted hat ordering now matched the documentation. But a number
of users came to rely on AADefaultHatName being attempted before
the URI. For trunk, this issue is less severe because mod_apparmor
passes a vector of hats to aa_change_hatv(), and thus missing URI
hats are not logged by the kernel apparmor bits. It still represents
a behavioral change to users, though.
This patch re-adjusts the ordering so that the URI-based hat is
attempted after the hat specified by AADefaultHatName is attempted,
thus maintaining the actual behavior before the bug addressed in
revno 2335 was fixed.
Patch history:
v1: initial revision
v2: no code changes; adjust comments and improve the man page
documentation
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
2014-07-08 00:39:05 -07:00
|
|
|
cause mod_apparmor to attempt to change into a hat that matches the
|
|
|
|
|
ServerName for the server/vhost. If no such hat is found, it will
|
2014-07-08 00:41:58 -07:00
|
|
|
first fall back by attempting to change into a hat composed of the
|
|
|
|
|
ServerName-URI (e.g. "www.example.com-/app/some.cgi"). If that hat
|
|
|
|
|
is not found, it will fall back to attempting to use the hat named
|
|
|
|
|
by the URI (e.g. "/app/some.cgi"). If that hat is not found, it will
|
|
|
|
|
fall back to attempting to use the hat DEFAULT_URI; if that also does
|
|
|
|
|
not exist, it will fall back to using the global Apache profile. Most
|
|
|
|
|
static web pages can simply make use of the DEFAULT_URI hat.
|
2006-04-11 21:52:54 +00:00
|
|
|
|
2010-12-20 13:45:56 -06:00
|
|
|
Additionally, before any requests come in to Apache, mod_apparmor
|
|
|
|
|
will attempt to change hat into the HANDLING_UNTRUSTED_INPUT hat.
|
|
|
|
|
mod_apparmor will attempt to use this hat while Apache is doing the
|
|
|
|
|
initial parsing of a given http request, before its given to a specific
|
|
|
|
|
handler (like mod_php) for processing.
|
|
|
|
|
|
|
|
|
|
Because defining hats for every URI/URL often becomes tedious, mod_apparmor
|
|
|
|
|
provides the AAHatName and AADefaultHatName Apache configuration options.
|
2006-04-11 21:52:54 +00:00
|
|
|
|
|
|
|
|
=over 4
|
|
|
|
|
|
|
|
|
|
=item B<AAHatName>
|
|
|
|
|
|
2010-12-20 13:45:56 -06:00
|
|
|
AAHatName allows you to specify a hat to be used for a given Apache
|
2014-09-15 11:30:47 -07:00
|
|
|
E<lt>DirectoryE<gt>, E<lt>DirectoryMatchE<gt>, E<lt>LocationE<gt> or
|
2010-12-20 13:45:56 -06:00
|
|
|
E<lt>LocationMatchE<gt> directive (see the Apache documenation for more
|
2006-04-11 21:52:54 +00:00
|
|
|
details). Note that mod_apparmor behavior can become confused if
|
2010-12-20 13:45:56 -06:00
|
|
|
E<lt>Directory*E<gt> and E<lt>Location*E<gt> directives are intermingled
|
|
|
|
|
and it is recommended to use one type of directive. If the hat specified by
|
|
|
|
|
AAHatName does not exist in the Apache profile, then it falls back to the
|
|
|
|
|
behavior described above.
|
2006-04-11 21:52:54 +00:00
|
|
|
|
|
|
|
|
=item B<AADefaultHatName>
|
|
|
|
|
|
mod_apparmor: try uri hat after AADefaultHatName, not before
In trunk revno 2335, a bug was fixed in mod_apparmor that corrected
the storage location for AADefaultHatName. The incorrect storage
caused the hat specified by the AADefaultHatName keyword to be the
default value for AAHatName, and meant that if both an AAHatName and
an AADefaultHatName entry were given in a vhost, mod_apparmor would
not fall back to trying AADefaultHatName if the hat specified in
AAHatName did not exist in the apache apparmor profile.
However, because the value specified in AADefaultHatName was the
default, if no AAHatName was specified, it would be attempted first,
before a hat based on the passed URI, rather than after as the
documentation stated and the code intended. By fixing the storage bug,
the attempted hat ordering now matched the documentation. But a number
of users came to rely on AADefaultHatName being attempted before
the URI. For trunk, this issue is less severe because mod_apparmor
passes a vector of hats to aa_change_hatv(), and thus missing URI
hats are not logged by the kernel apparmor bits. It still represents
a behavioral change to users, though.
This patch re-adjusts the ordering so that the URI-based hat is
attempted after the hat specified by AADefaultHatName is attempted,
thus maintaining the actual behavior before the bug addressed in
revno 2335 was fixed.
Patch history:
v1: initial revision
v2: no code changes; adjust comments and improve the man page
documentation
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
2014-07-08 00:39:05 -07:00
|
|
|
AADefaultHatName allows you to specify a default hat to be used for
|
|
|
|
|
virtual hosts and other Apache server directives, so that you can have
|
|
|
|
|
different defaults for different virtual hosts. This can be overridden
|
|
|
|
|
by the AAHatName directive and is checked for only if there isn't
|
|
|
|
|
a matching AAHatName. The default value of AADefaultHatName is the
|
|
|
|
|
ServerName for the server/vhost configuration. If the AADefaultHatName
|
|
|
|
|
hat does not exist, then it falls back to the behavior described above.
|
2006-04-11 21:52:54 +00:00
|
|
|
|
|
|
|
|
=back
|
|
|
|
|
|
2010-12-20 13:45:56 -06:00
|
|
|
=head1 URI REQUEST SUMMARY
|
|
|
|
|
|
|
|
|
|
When profiling with mod_apparmor, it is helpful to keep the following order
|
|
|
|
|
of operations in mind:
|
|
|
|
|
|
2010-12-20 13:47:09 -06:00
|
|
|
On each URI request, mod_apparmor will first aa_change_hat(2) into
|
2010-12-20 13:45:56 -06:00
|
|
|
^HANDLING_UNTRUSTED_INPUT, if it exists.
|
|
|
|
|
|
|
|
|
|
Then, after performing the initial parsing of the request, mod_apparmor
|
|
|
|
|
will:
|
|
|
|
|
|
2014-09-15 11:30:47 -07:00
|
|
|
=over 4
|
|
|
|
|
|
|
|
|
|
=item 1
|
2010-12-20 13:45:56 -06:00
|
|
|
|
2014-09-15 11:30:47 -07:00
|
|
|
try to aa_change_hat(2) into a matching AAHatName hat if it exists and
|
2010-12-20 13:45:56 -06:00
|
|
|
applies, otherwise it will
|
|
|
|
|
|
2014-09-15 11:30:47 -07:00
|
|
|
=item 2
|
|
|
|
|
|
|
|
|
|
try to aa_change_hat(2) into an AADefaultHatName hat, either the
|
mod_apparmor: make the ServerName be the default AADefaultHatName
Bug: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1207424
This patch makes the default value for AADefaultHatName be the
server/vhost name, which can be specified in apache via the ServerName
configuration declaration. It can be overridden by setting
AADefaultHatName directly. Thus, with this patch applied, the order of
attempted hats will be:
1. try to aa_change_hat(2) into a matching AAHatName hat if it exists
and applies, otherwise
2. try to aa_change_hat(2) into the URI itself, otherwise
3. try to aa_change_hat(2) into the value of ServerName, unless
AADefaultHatName has been explicitly set for this server/vhost, in
which case that value will be used, otherwise
4. try to aa_change_hat(2) into the DEFAULT_URI hat, if it exists,
otherwise
5. fall back to the global Apache policy
This should eliminate the need for most admins to define both
ServerName and AADefaultHatName, unless there's a specific need for
the values to deviate.
Man page documentation is updated as well, though probably more
wordsmithing is needed there for clarity.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
2014-01-23 13:51:34 -08:00
|
|
|
ServerName (the default) or the configuration value specified by the
|
|
|
|
|
AADefaultHatName directive, for the server/vhost, otherwise it will
|
2010-12-20 13:45:56 -06:00
|
|
|
|
2014-09-15 11:30:47 -07:00
|
|
|
=item 3
|
|
|
|
|
|
|
|
|
|
try to aa_change_hat(2) into the ServerName-URI, otherwise it will
|
mod_apparmor: try uri hat after AADefaultHatName, not before
In trunk revno 2335, a bug was fixed in mod_apparmor that corrected
the storage location for AADefaultHatName. The incorrect storage
caused the hat specified by the AADefaultHatName keyword to be the
default value for AAHatName, and meant that if both an AAHatName and
an AADefaultHatName entry were given in a vhost, mod_apparmor would
not fall back to trying AADefaultHatName if the hat specified in
AAHatName did not exist in the apache apparmor profile.
However, because the value specified in AADefaultHatName was the
default, if no AAHatName was specified, it would be attempted first,
before a hat based on the passed URI, rather than after as the
documentation stated and the code intended. By fixing the storage bug,
the attempted hat ordering now matched the documentation. But a number
of users came to rely on AADefaultHatName being attempted before
the URI. For trunk, this issue is less severe because mod_apparmor
passes a vector of hats to aa_change_hatv(), and thus missing URI
hats are not logged by the kernel apparmor bits. It still represents
a behavioral change to users, though.
This patch re-adjusts the ordering so that the URI-based hat is
attempted after the hat specified by AADefaultHatName is attempted,
thus maintaining the actual behavior before the bug addressed in
revno 2335 was fixed.
Patch history:
v1: initial revision
v2: no code changes; adjust comments and improve the man page
documentation
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
2014-07-08 00:39:05 -07:00
|
|
|
|
2014-09-15 11:30:47 -07:00
|
|
|
=item 4
|
2014-07-08 00:41:58 -07:00
|
|
|
|
2014-09-15 11:30:47 -07:00
|
|
|
try to aa_change_hat(2) into the URI itself, otherwise it will
|
|
|
|
|
|
|
|
|
|
=item 5
|
|
|
|
|
|
|
|
|
|
try to aa_change_hat(2) into the DEFAULT_URI hat, if it exists, otherwise it
|
2010-12-20 13:45:56 -06:00
|
|
|
will
|
|
|
|
|
|
2014-09-15 11:30:47 -07:00
|
|
|
=item 6
|
|
|
|
|
|
|
|
|
|
fall back to the global Apache policy
|
2010-12-20 13:45:56 -06:00
|
|
|
|
|
|
|
|
=back
|
2006-04-11 21:52:54 +00:00
|
|
|
|
|
|
|
|
=head1 BUGS
|
|
|
|
|
|
|
|
|
|
mod_apparmor() currently only supports apache2, and has only been tested
|
2010-12-20 13:45:56 -06:00
|
|
|
with the prefork MPM configuration -- threaded configurations of Apache
|
2014-02-13 17:21:41 -08:00
|
|
|
may not work correctly. For Apache 2.4 users, you should enable the mpm_prefork
|
|
|
|
|
module.
|
2006-04-11 21:52:54 +00:00
|
|
|
|
|
|
|
|
There are likely other bugs lurking about; if you find any, please report
|
2013-09-19 21:17:39 +02:00
|
|
|
them at L<https://bugs.launchpad.net/apparmor/+filebug>.
|
2006-04-11 21:52:54 +00:00
|
|
|
|
|
|
|
|
=head1 SEE ALSO
|
|
|
|
|
|
2010-12-20 13:47:09 -06:00
|
|
|
apparmor(7), subdomain.conf(5), apparmor_parser(8), aa_change_hat(2) and
|
2010-12-20 08:35:00 -06:00
|
|
|
L<http://wiki.apparmor.net>.
|
2006-04-11 21:52:54 +00:00
|
|
|
|
|
|
|
|
=cut
|