1
# Author: Marc Deslauriers <marc.deslauriers@ubuntu.com>
3
#include <tunables/global>
6
# This profile is completely permissive.
7
# It is designed to target specific applications using mod_apparmor,
8
# hats, and the apache2.d directory.
10
# In order to enable this profile, you must:
13
# sudo aa-enforce /etc/apparmor.d/usr.sbin.apache2
15
# 2- Load the mpm_prefork and mod_apparmor modules:
16
# sudo a2dismod <other non-prefork mpm>
17
# sudo a2enmod mpm_prefork
18
# sudo a2enmod apparmor
19
# sudo service apache2 restart
21
# 3- Place an appropriate profile containing the desired hat in the
22
# /etc/apparmor.d/apache2.d directory. Such profiles should probably
23
# include the "apache2-common" abstraction.
25
# 4- Use the "AADefaultHatName" apache configuration option to specify a
26
# hat to be used for a given apache virtualhost or "AAHatName" for
27
# a given apache directory or location directive.
30
# There is an example profile for phpsysinfo included in the
31
# apparmor-profiles package. To try it:
33
# 1- Install the phpsysinfo and the apparmor-profiles packages:
34
# sudo apt-get install phpsysinfo apparmor-profiles
36
# 2- Enable the main apache2 profile
37
# sudo aa-enforce /etc/apparmor.d/usr.sbin.apache2
39
# 3- Configure apache with the following:
40
# <Directory /var/www/phpsysinfo/>
41
# AAHatName phpsysinfo
45
#include <abstractions/base>
46
#include <abstractions/nameservice>
48
capability dac_override,
50
capability net_bind_service,
53
capability sys_tty_config,
60
#include <abstractions/base>
61
#include <abstractions/nameservice>
68
^HANDLING_UNTRUSTED_INPUT {
69
#include <abstractions/nameservice>
76
# This directory contains web application
77
# package-specific apparmor files.
81
# Site-specific additions and overrides. See local/README for details.
82
#include <local/usr.sbin.apache2>