|
1304
by Kees Cook
merge profiles from Ubuntu, including change_hat apache2 template |
1 |
# Author: Marc Deslauriers <marc.deslauriers@ubuntu.com>
|
|
1452.1.1
by Jamie Strandboge
start on 'local/' mechanism to aid in packaging: |
2 |
|
|
1304
by Kees Cook
merge profiles from Ubuntu, including change_hat apache2 template |
3 |
#include <tunables/global>
|
4 |
/usr/lib/apache2/mpm-prefork/apache2 { |
|
5 |
||
|
1452.1.1
by Jamie Strandboge
start on 'local/' mechanism to aid in packaging: |
6 |
# This profile is completely permissive. |
|
1304
by Kees Cook
merge profiles from Ubuntu, including change_hat apache2 template |
7 |
# It is designed to target specific applications using mod_apparmor, |
8 |
# hats, and the apache2.d directory. |
|
9 |
#
|
|
10 |
# In order to enable this profile, you must: |
|
11 |
#
|
|
12 |
# 1- Enable it: |
|
13 |
# sudo aa-enforce /etc/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 |
|
14 |
#
|
|
15 |
# 2- Load the mod_apparmor module: |
|
16 |
# sudo a2enmod apparmor |
|
17 |
#
|
|
18 |
# 3- Place an appropriate profile containing the desired hat in the |
|
|
1310
by Kees Cook
update php5 abstraction, add more details to apache hat documentation, include a common apache2 abstraction for use with hats |
19 |
# /etc/apparmor.d/apache2.d directory. Such profiles should probably |
20 |
# include the "apache2-common" abstraction. |
|
|
1304
by Kees Cook
merge profiles from Ubuntu, including change_hat apache2 template |
21 |
#
|
|
1310
by Kees Cook
update php5 abstraction, add more details to apache hat documentation, include a common apache2 abstraction for use with hats |
22 |
# 4- Use the "AADefaultHatName" apache configuration option to specify a |
23 |
# hat to be used for a given apache virtualhost or "AAHatName" for |
|
24 |
# a given apache directory or location directive. |
|
|
1304
by Kees Cook
merge profiles from Ubuntu, including change_hat apache2 template |
25 |
#
|
26 |
#
|
|
27 |
# There is an example profile for phpsysinfo included in the |
|
28 |
# apparmor-profiles package. To try it: |
|
29 |
#
|
|
30 |
# 1- Install the phpsysinfo and the apparmor-profiles packages: |
|
31 |
# sudo apt-get install phpsysinfo apparmor-profiles |
|
32 |
#
|
|
33 |
# 2- Enable the main apache2 profile |
|
34 |
# sudo aa-enforce /etc/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 |
|
35 |
#
|
|
36 |
# 3- Configure apache with the following: |
|
37 |
# <Directory /var/www/phpsysinfo/> |
|
38 |
# AAHatName phpsysinfo |
|
39 |
# </Directory> |
|
40 |
#
|
|
41 |
||
42 |
#include <abstractions/base> |
|
43 |
#include <abstractions/nameservice> |
|
44 |
||
|
3413
by Tyler Hicks
profiles: Allow CAP_CHOWN in usr.lib.apache2.mpm-prefork.apache2 |
45 |
capability chown, |
|
1304
by Kees Cook
merge profiles from Ubuntu, including change_hat apache2 template |
46 |
capability kill, |
47 |
capability net_bind_service, |
|
48 |
capability setgid, |
|
49 |
capability setuid, |
|
50 |
capability sys_tty_config, |
|
51 |
||
52 |
/ rw, |
|
53 |
/** mrwlkix, |
|
54 |
||
55 |
||
56 |
^DEFAULT_URI { |
|
57 |
#include <abstractions/base> |
|
58 |
#include <abstractions/nameservice> |
|
59 |
||
60 |
/ rw, |
|
61 |
/** mrwlkix, |
|
62 |
||
63 |
}
|
|
64 |
||
65 |
^HANDLING_UNTRUSTED_INPUT { |
|
66 |
#include <abstractions/nameservice> |
|
67 |
||
68 |
/ rw, |
|
69 |
/** mrwlkix, |
|
70 |
||
71 |
}
|
|
72 |
||
73 |
# This directory contains web application |
|
74 |
# package-specific apparmor files. |
|
75 |
||
76 |
#include <apache2.d> |
|
77 |
||
|
1452.1.1
by Jamie Strandboge
start on 'local/' mechanism to aid in packaging: |
78 |
# Site-specific additions and overrides. See local/README for details. |
79 |
#include <local/usr.lib.apache2.mpm-prefork.apache2> |
|
|
1304
by Kees Cook
merge profiles from Ubuntu, including change_hat apache2 template |
80 |
}
|