# Last Modified: Wed Sep 16 11:58:00 2009
# Author: Marc Deslauriers <marc.deslauriers@ubuntu.com>
#include <tunables/global>

/usr/lib/apache2/mpm-prefork/apache2 {

  # This is profile is completely permissive.
  # It is designed to target specific applications using mod_apparmor,
  # hats, and the apache2.d directory.
  #
  # In order to enable this profile, you must:
  #
  # 1- Enable it:
  #    sudo aa-enforce /etc/apparmor.d/usr.lib.apache2.mpm-prefork.apache2
  #
  # 2- Load the mod_apparmor module:
  #    sudo a2enmod apparmor
  #
  # 3- Place an appropriate profile containing the desired hat in the
  #    /etc/apparmor.d/apache2.d directory.  Such profiles should probably
  #    include the "apache2-common" abstraction.
  #
  # 4- Use the "AADefaultHatName" apache configuration option to specify a
  #    hat to be used for a given apache virtualhost or "AAHatName" for
  #    a given apache directory or location directive.
  #
  #
  # There is an example profile for phpsysinfo included in the
  # apparmor-profiles package. To try it:
  #
  # 1- Install the phpsysinfo and the apparmor-profiles packages:
  #    sudo apt-get install phpsysinfo apparmor-profiles
  #
  # 2- Enable the main apache2 profile
  #    sudo aa-enforce /etc/apparmor.d/usr.lib.apache2.mpm-prefork.apache2
  #
  # 3- Configure apache with the following:
  #    <Directory /var/www/phpsysinfo/>
  #        AAHatName phpsysinfo
  #    </Directory>
  #

  #include <abstractions/base>
  #include <abstractions/nameservice>

  capability kill,
  capability net_bind_service,
  capability setgid,
  capability setuid,
  capability sys_tty_config,

  / rw,
  /** mrwlkix,


  ^DEFAULT_URI {
    #include <abstractions/base>
    #include <abstractions/nameservice>

    / rw,
    /** mrwlkix,

  }

  ^HANDLING_UNTRUSTED_INPUT {
    #include <abstractions/nameservice>

    / rw,
    /** mrwlkix,

  }

  # This directory contains web application
  # package-specific apparmor files.

  #include <apache2.d>

}