| |
5.2 Configuring Apache for mod_apparmor
Apache is configured by placing directives in plain text configuration
files. The main configuration file is usually
httpd.conf. When you compile Apache, you can indicate
the location of this file. Directives can be placed in any of these
configuration files to alter the way Apache behaves. When you make changes
to the main configuration files, you need to start or restart Apache so the
changes are recognized.
5.2.1 Virtual Host Directives
Virtual host directives control whether requests that contain trailing
pathname information following an actual filename or that refer to a
nonexistent file in an existing directory are accepted or rejected. For
Apache documentation on virtual host directives, refer to https://httpd.apache.org/docs-2.2/mod/core.html#virtualhost.
The ChangeHat-specific configuration keyword is
AADefaultHatName. It is used similarly to
AAHatName, for example, AADefaultHatName
My_Funky_Default_Hat.
The configuration option is actually based on a server directive, which
enables you to use the keyword outside of other options, setting it for the
default server. Virtual hosts are considered internally within Apache to be
separate servers, so you can set a default hat name for the
default server as well as one for each virtual host, if desired.
When a request comes in, the following steps reflect the sequence in which
mod_apparmor attempts to apply hats.
-
A location or directory hat as specified by the
AAHatName keyword
-
A hat named by the entire URI path
-
A default server hat as specified by the
AADefaultHatName keyword
-
DEFAULT_URI (if none of those exist, it goes back
to the parent Apache hat)
5.2.2 Location and Directory Directives
Location and directory directives specify hat names in the program
configuration file so the program calls the hat regarding its security. For
Apache, you can find documentation about the location and directory
directives at https://httpd.apache.org/docs-2.0/sections.html.
The location directive example below specifies that, for a given location,
mod_apparmor should use a specific hat:
<Location /foo/> AAHatName MY_HAT_NAME </Location>
This tries to use MY_HAT_NAME for any URI beginning with
/foo/ (/foo/,
/foo/bar,
/foo/cgi/path/blah_blah/blah, etc.).
The directory directive works similarly to the location directive, except
it refers to a path in the file system as in the following example:
<Directory "/srv/www/www.immunix.com/docs">
# Note lack of trailing slash
AAHatName immunix.com
</Directory>
-
After downloading the tarball, install it into
/srv/www/htdocs/phpsysinfo.
-
Create /etc/apache2/conf.d/phpsysinfo.conf and add the
following text to it:
<Location "/phpsysinfo">
AAHatName phpsysinfo
</Location>
The following hat should then work for phpsysinfo:
/usr/sbin/httpd2-prefork {
...
^phpsysinfo {
#include <abstractions/bash>
#include <abstractions/nameservice>
/bin/basename ixr,
/bin/bash ixr,
/bin/df ixr,
/bin/grep ixr,
/bin/mount Ux,
/bin/sed ixr,
/dev/bus/usb/ r,
/dev/bus/usb/** r,
/dev/null w,
/dev/tty rw,
/dev/urandom r,
/etc/SuSE-release r,
/etc/ld.so.cache r,
/etc/lsb-release r,
/etc/lsb-release.d/ r,
/lib/ld-2.6.1.so ixr,
/proc/** r,
/sbin/lspci ixr,
/srv/www/htdocs/phpsysinfo/** r,
/sys/bus/pci/** r,
/sys/bus/scsi/devices/ r,
/sys/devices/** r,
/usr/bin/cut ixr,
/usr/bin/getopt ixr,
/usr/bin/head ixr,
/usr/bin/lsb_release ixr,
/usr/bin/lsscsi ixr,
/usr/bin/tr ixr,
/usr/bin/who ixr,
/usr/lib/lib*so* mr,
/usr/lib/locale/** r,
/usr/sbin/lsusb ixr,
/usr/share/locale/** r,
/usr/share/pci.ids r,
/usr/share/usb.ids r,
/var/log/apache2/access_log w,
/var/run/utmp kr,
}
}
-
Reload Novell AppArmor profiles by entering rcapparmor restart
at a terminal window as root.
-
Restart Apache by entering rcapache2 restart at a
terminal window as root.
-
Enter https://hostname/phpsysinfo/ into a browser to
receive the system information that phpsysinfo delivers.
-
Locate configuration errors by going to
/var/log/audit/audit.log or running
dmesg and looking for any rejections in the output.
|
|
