profiles: adjust apache2-common abstraction for signals/mod_apparmor changes

Update the apache2-common abstraction so that the parent apache process
can kill worker processes inside of hats, as well as handle the updated
mod_apparmor behavior that invokes aa_change_hatv() and then checks
which hat it ended up in via aa_getconn() (which reads from
{PROC}/@{pid}/attr/current).

Author: Kees Cook <kees@ubuntu.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Bug: https://bugs.launchpad.net/apparmor/+bug/1322764

profiles/apparmor.d/abstractions/apache2-common

@@ -4,6 +4,11 @@
 
   #include <abstractions/nameservice>
 
+  # Allow apache to send us signals by default
+  signal (receive) peer=/usr/sbin/apache2,
+  # Allow us to signal ourselves
+  signal peer=@{profile_name},
+
   # Apache
   network inet stream,
   network inet6 stream,
@@ -11,7 +16,7 @@
   /usr/share/apache2/** r,
 
   # changehat itself
-  @{PROC}/@{pid}/attr/current                        w,
+  @{PROC}/@{pid}/attr/current                        rw,
 
   # htaccess files - for what ever it is worth
   /**/.htaccess            r,