diff options
Diffstat (limited to 'profiles/usr.sbin.apache2')
-rw-r--r-- | profiles/usr.sbin.apache2 | 109 |
1 files changed, 109 insertions, 0 deletions
diff --git a/profiles/usr.sbin.apache2 b/profiles/usr.sbin.apache2 new file mode 100644 index 0000000..dd23f51 --- /dev/null +++ b/profiles/usr.sbin.apache2 @@ -0,0 +1,109 @@ +# Author: Marc Deslauriers <marc.deslauriers@ubuntu.com> + +#include <tunables/global> +/usr/sbin/apache2 flags=(attach_disconnected) { + + # This profile is completely permissive. + # It is designed to target specific applications using mod_apparmor, + # hats, and the apache2.d directory. + # + # In order to enable this profile, you must: + # + # 0- Stop apache: + # sudo service apache2 stop + # + # 1- Enable the profile: + # sudo aa-enforce /etc/apparmor.d/usr.sbin.apache2 + # + # 2- Load the mpm_prefork and mod_apparmor modules: + # sudo a2dismod <other non-prefork mpm> + # sudo a2enmod mpm_prefork + # sudo a2enmod apparmor + # sudo service apache2 restart + # + # 3- Place an appropriate profile containing the desired hat in the + # /etc/apparmor.d/apache2.d directory. Such profiles must include + # the "apache2-common" abstraction: + # + # ^example.com flags=(complain) { + # #include <abstractions/apache2-common> + # /var/www/html/ r, + # /var/www/html/** r, + # /var/log/apache2/*.log w, + # } + # + # 4- Use the "AADefaultHatName" apache configuration option to specify a + # hat to be used for a given apache virtualhost or "AAHatName" for + # a given apache directory or location directive: + # + # <VirtualHost example.com:80> + # <IfModule mod_apparmor.c> + # AADefaultHatName example.com + # </IfModule> + # ... + # </VirtualHost> + # + # + # There is an example profile for phpsysinfo included in the + # apparmor-profiles package. To try it: + # + # 1- Install the phpsysinfo and the apparmor-profiles packages: + # sudo apt-get install phpsysinfo apparmor-profiles + # + # 2- Enable the main apache2 profile + # sudo aa-enforce /etc/apparmor.d/usr.sbin.apache2 + # + # 3- Configure apache with the following (or similar): + # Alias /phpsysinfo /usr/share/phpsysinfo + # <Location /phpsysinfo> + # <IfModule mod_apparmor.c> + # AAHatName phpsysinfo + # </IfModule> + # + # # adjust as necessary: + # Options None + # Require local + # Require ip 192.168.0.0/16 + # </Location> + # + + #include <abstractions/base> + #include <abstractions/nameservice> + + # Send signals to all hats. + signal (send) peer=@{profile_name}//*, + + capability dac_override, + capability kill, + capability net_bind_service, + capability setgid, + capability setuid, + capability sys_tty_config, + + / rw, + /** mrwlkix, + + + ^DEFAULT_URI flags=(attach_disconnected) { + #include <abstractions/base> + #include <abstractions/apache2-common> + + / rw, + /** mrwlkix, + } + + ^HANDLING_UNTRUSTED_INPUT flags=(attach_disconnected) { + #include <abstractions/apache2-common> + + / rw, + /** mrwlkix, + } + + # This directory contains web application + # package-specific apparmor files. + + #include <apache2.d> + + # Site-specific additions and overrides. See local/README for details. + #include <local/usr.sbin.apache2> +} |