5.1 Apache ChangeHat
Novell AppArmor provides a
mod_apparmor module (package apache2-mod_apparmor) for the Apache program. This
module makes the Apache Web server ChangeHat aware. Install it along with
When Apache is ChangeHat aware, it checks for the following customized Novell AppArmor
security profiles in the order given for every URI request that it receives.
NOTE: Apache Configuration
If you install apache2-mod_apparmor without Novell AppArmor, make sure
that the Apache load module has a command in the configuration file that
loads the mod_apparmor module by adding
apparmor to the list of modules to load in
Alternatively, add the following line to your Apache configuration
LoadModule mod_apparmor modules/mod_apparmor.so
5.1.1 Managing ChangeHat-Aware Applications
As with most of the Novell AppArmor tools, you can use two methods for managing
ChangeHat, YaST or the command line interface. Managing ChangeHat-aware
applications from the command line is much more flexible, but the
also more complicated. Both methods allow you to manage the hats for your
application and populate them with profile entries.
The following steps are a demonstration that adds hats to an Apache profile
using YaST. In the , the Novell AppArmor
profiling utilities prompt you to create new hats for distinct URI
requests. Choosing to create a new hat allows you to create individual
profiles for each URI. You can create very tight rules for each request.
If the URI that is processed does not represent significant processing or
otherwise does not represent a significant security risk, safely select
to process this URI in the default hat,
which is the default security profile.
This example creates a new hat for the URI
phpsysinfo and its subsequent accesses. Using the
profiling utilities, delegate what to add to this new hat. The resulting
hat becomes a tight-security container that encompasses all the processing
on the server that occurs when the phpsysinfo URI
is passed to the Apache Web server.
The URI runs the application phpsysinfo (refer to https://phpsysinfo.sourceforge.net for more information). The
phpsysinfo package is
assumed to be installed in
/srv/www/htdocs/phpsysinfo in a clean (new)
installation of openSUSE and AppArmor.
Once phpsysinfo is
installed, you are ready to add hats to the Apache profile. From the
Novell AppArmor GUI, select .
In , enter
Restart Apache by entering rcapache2 restart in a
Restart any program you are profiling at this point.
Open https://localhost/phpsysinfo/ in a Web
browser window. The browser window should display network usage and
NOTE: Data Caching
To ensure that this request is processed by the server and you do not
review cached data in your browser, refresh the page. To do this, click
the browser button to make sure that Apache
processes the request for the phpsysinfo URI.
Novell AppArmor launches the aa-logprof tool, which scans the
information learned in the previous step. It begins to prompt you
with profile questions.
aa-logprof first prompts with or because it noticed
that the phpsysinfo URI was accessed. Select
Choosing in the previous step
creates a new hat in the profile and specifies that the results of
subsequent questions about the script's actions are added to the newly
created hat rather than the default hat for this application.
In the next screen, Novell AppArmor displays an external program that the script
executed. You can specify that the program should run confined by the
phpsysinfo hat (choose ), confined by a
separate profile (choose ), or that it should
run unconfined or without any security profile (choose
). For the case of the
option, a new profile is created for the
program if one does not already exist.
NOTE: Security Considerations
Selecting can create a significant
security hole and should be done with caution.
Select for the
/bin/bash path. This adds
/bin/bash (accessed by Apache) to the
phpsysinfo hat profile with the necessary permissions.
The remaining questions prompt you to generate new hats and add entries
to your profile and its hats. The process of adding entries to profiles
is covered in detail in the
Section 3.1, Adding a Profile Using the Wizard.
When all profiling questions are answered, click
to save your changes and exit the wizard.
The following is an example phpsysinfo hat.
Example 5-1 Example phpsysinfo Hat
NOTE: Hat and Parent Profile Relationship
The profile ^phpsysinfo is only valid in the
context of a process running under the parent profile
5.1.2 Adding Hats and Entries to Hats
When you use the dialog (for instructions,
Section 3.3, Editing Profiles) or when you add a
new profile using (for
instructions, refer to
Section 3.2, Manually Adding a Profile), you are given the
option of adding hats (subprofiles) to your Novell AppArmor profiles.
Add a ChangeHat subprofile from the window as in the following.
From the window, click
then select . The
dialog box opens:
Enter the name of the hat to add to the Novell AppArmor profile. The name is the
URI that, when accessed, receives the permissions set in the hat.
Click . You are returned to the
After adding the new hat, click .