mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 00:14:44 +01:00
f1b4da2f64
Begin preparing policy for the 4.0 release. This may result in new denials. This is expected and needed to make sure policy is ready for the 4.0 release. Signed-off-by: John Johansen <john.johansen@canonical.com>
82 lines
2.1 KiB
Text
82 lines
2.1 KiB
Text
# Author: Marc Deslauriers <marc.deslauriers@ubuntu.com>
|
|
|
|
abi <abi/4.0>,
|
|
|
|
include <tunables/global>
|
|
/usr/lib/apache2/mpm-prefork/apache2 {
|
|
|
|
# This profile is completely permissive.
|
|
# It is designed to target specific applications using mod_apparmor,
|
|
# hats, and the apache2.d directory.
|
|
#
|
|
# In order to enable this profile, you must:
|
|
#
|
|
# 1- Enable it:
|
|
# sudo aa-enforce /etc/apparmor.d/usr.lib.apache2.mpm-prefork.apache2
|
|
#
|
|
# 2- Load the mod_apparmor module:
|
|
# sudo a2enmod apparmor
|
|
#
|
|
# 3- Place an appropriate profile containing the desired hat in the
|
|
# /etc/apparmor.d/apache2.d directory. Such profiles should probably
|
|
# include the "apache2-common" abstraction.
|
|
#
|
|
# 4- Use the "AADefaultHatName" apache configuration option to specify a
|
|
# hat to be used for a given apache virtualhost or "AAHatName" for
|
|
# a given apache directory or location directive.
|
|
#
|
|
#
|
|
# There is an example profile for phpsysinfo included in the
|
|
# apparmor-profiles package. To try it:
|
|
#
|
|
# 1- Install the phpsysinfo and the apparmor-profiles packages:
|
|
# sudo apt-get install phpsysinfo apparmor-profiles
|
|
#
|
|
# 2- Enable the main apache2 profile
|
|
# sudo aa-enforce /etc/apparmor.d/usr.lib.apache2.mpm-prefork.apache2
|
|
#
|
|
# 3- Configure apache with the following:
|
|
# <Directory /var/www/phpsysinfo/>
|
|
# AAHatName phpsysinfo
|
|
# </Directory>
|
|
#
|
|
|
|
include <abstractions/base>
|
|
include <abstractions/nameservice>
|
|
|
|
capability chown,
|
|
capability kill,
|
|
capability net_bind_service,
|
|
capability setgid,
|
|
capability setuid,
|
|
capability sys_tty_config,
|
|
|
|
/ rw,
|
|
/** mrwlkix,
|
|
|
|
|
|
^DEFAULT_URI {
|
|
include <abstractions/base>
|
|
include <abstractions/nameservice>
|
|
|
|
/ rw,
|
|
/** mrwlkix,
|
|
|
|
}
|
|
|
|
^HANDLING_UNTRUSTED_INPUT {
|
|
include <abstractions/nameservice>
|
|
|
|
/ rw,
|
|
/** mrwlkix,
|
|
|
|
}
|
|
|
|
# This directory contains web application
|
|
# package-specific apparmor files.
|
|
|
|
include <apache2.d>
|
|
|
|
# Site-specific additions and overrides. See local/README for details.
|
|
include if exists <local/usr.lib.apache2.mpm-prefork.apache2>
|
|
}
|