mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 08:24:42 +01:00
78 lines
2 KiB
Text
78 lines
2 KiB
Text
# Last Modified: Wed Sep 16 11:58:00 2009
|
|
# Author: Marc Deslauriers <marc.deslauriers@ubuntu.com>
|
|
#include <tunables/global>
|
|
|
|
/usr/lib/apache2/mpm-prefork/apache2 {
|
|
|
|
# This is profile is completely permissive.
|
|
# It is designed to target specific applications using mod_apparmor,
|
|
# hats, and the apache2.d directory.
|
|
#
|
|
# In order to enable this profile, you must:
|
|
#
|
|
# 1- Enable it:
|
|
# sudo aa-enforce /etc/apparmor.d/usr.lib.apache2.mpm-prefork.apache2
|
|
#
|
|
# 2- Load the mod_apparmor module:
|
|
# sudo a2enmod apparmor
|
|
#
|
|
# 3- Place an appropriate profile containing the desired hat in the
|
|
# /etc/apparmor.d/apache2.d directory. Such profiles should probably
|
|
# include the "apache2-common" abstraction.
|
|
#
|
|
# 4- Use the "AADefaultHatName" apache configuration option to specify a
|
|
# hat to be used for a given apache virtualhost or "AAHatName" for
|
|
# a given apache directory or location directive.
|
|
#
|
|
#
|
|
# There is an example profile for phpsysinfo included in the
|
|
# apparmor-profiles package. To try it:
|
|
#
|
|
# 1- Install the phpsysinfo and the apparmor-profiles packages:
|
|
# sudo apt-get install phpsysinfo apparmor-profiles
|
|
#
|
|
# 2- Enable the main apache2 profile
|
|
# sudo aa-enforce /etc/apparmor.d/usr.lib.apache2.mpm-prefork.apache2
|
|
#
|
|
# 3- Configure apache with the following:
|
|
# <Directory /var/www/phpsysinfo/>
|
|
# AAHatName phpsysinfo
|
|
# </Directory>
|
|
#
|
|
|
|
#include <abstractions/base>
|
|
#include <abstractions/nameservice>
|
|
|
|
capability kill,
|
|
capability net_bind_service,
|
|
capability setgid,
|
|
capability setuid,
|
|
capability sys_tty_config,
|
|
|
|
/ rw,
|
|
/** mrwlkix,
|
|
|
|
|
|
^DEFAULT_URI {
|
|
#include <abstractions/base>
|
|
#include <abstractions/nameservice>
|
|
|
|
/ rw,
|
|
/** mrwlkix,
|
|
|
|
}
|
|
|
|
^HANDLING_UNTRUSTED_INPUT {
|
|
#include <abstractions/nameservice>
|
|
|
|
/ rw,
|
|
/** mrwlkix,
|
|
|
|
}
|
|
|
|
# This directory contains web application
|
|
# package-specific apparmor files.
|
|
|
|
#include <apache2.d>
|
|
|
|
}
|