mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-09 02:41:03 +01:00
8e5f15c603
Description: update mod_apparmor man page for Apache 2.4 and add new apparmor.d/usr.sbin.apache2 profile (based on the prefork profile) Acked-by: Steve Beattie <steve@nxnw.org> Differs from original 0036-libapache2-mod-apparmor-profile-2.4.patch ubuntu patch -- I've deleted the "delete the apache 2.2 profile" part of the patch. So apache 2.2's profile is also still supported.
83 lines
2.1 KiB
Text
83 lines
2.1 KiB
Text
# Author: Marc Deslauriers <marc.deslauriers@ubuntu.com>
|
|
|
|
#include <tunables/global>
|
|
/usr/sbin/apache2 {
|
|
|
|
# This profile is completely permissive.
|
|
# It is designed to target specific applications using mod_apparmor,
|
|
# hats, and the apache2.d directory.
|
|
#
|
|
# In order to enable this profile, you must:
|
|
#
|
|
# 1- Enable it:
|
|
# sudo aa-enforce /etc/apparmor.d/usr.sbin.apache2
|
|
#
|
|
# 2- Load the mpm_prefork and mod_apparmor modules:
|
|
# sudo a2dismod <other non-prefork mpm>
|
|
# sudo a2enmod mpm_prefork
|
|
# sudo a2enmod apparmor
|
|
# sudo service apache2 restart
|
|
#
|
|
# 3- Place an appropriate profile containing the desired hat in the
|
|
# /etc/apparmor.d/apache2.d directory. Such profiles should probably
|
|
# include the "apache2-common" abstraction.
|
|
#
|
|
# 4- Use the "AADefaultHatName" apache configuration option to specify a
|
|
# hat to be used for a given apache virtualhost or "AAHatName" for
|
|
# a given apache directory or location directive.
|
|
#
|
|
#
|
|
# There is an example profile for phpsysinfo included in the
|
|
# apparmor-profiles package. To try it:
|
|
#
|
|
# 1- Install the phpsysinfo and the apparmor-profiles packages:
|
|
# sudo apt-get install phpsysinfo apparmor-profiles
|
|
#
|
|
# 2- Enable the main apache2 profile
|
|
# sudo aa-enforce /etc/apparmor.d/usr.sbin.apache2
|
|
#
|
|
# 3- Configure apache with the following:
|
|
# <Directory /var/www/phpsysinfo/>
|
|
# AAHatName phpsysinfo
|
|
# </Directory>
|
|
#
|
|
|
|
#include <abstractions/base>
|
|
#include <abstractions/nameservice>
|
|
|
|
capability dac_override,
|
|
capability kill,
|
|
capability net_bind_service,
|
|
capability setgid,
|
|
capability setuid,
|
|
capability sys_tty_config,
|
|
|
|
/ rw,
|
|
/** mrwlkix,
|
|
|
|
|
|
^DEFAULT_URI {
|
|
#include <abstractions/base>
|
|
#include <abstractions/nameservice>
|
|
|
|
/ rw,
|
|
/** mrwlkix,
|
|
|
|
}
|
|
|
|
^HANDLING_UNTRUSTED_INPUT {
|
|
#include <abstractions/nameservice>
|
|
|
|
/ rw,
|
|
/** mrwlkix,
|
|
|
|
}
|
|
|
|
# This directory contains web application
|
|
# package-specific apparmor files.
|
|
|
|
#include <apache2.d>
|
|
|
|
# Site-specific additions and overrides. See local/README for details.
|
|
#include <local/usr.sbin.apache2>
|
|
}
|