logo

apparmor.d

Unnamed repository; edit this file 'description' to name the repository. git clone https://hacktivis.me/git/apparmor.d.git

usr.sbin.apache2 (3043B)

    

  1. # Author: Marc Deslauriers <marc.deslauriers@ubuntu.com>
  3. abi <abi/3.0>,
  5. include <tunables/global>
  6. profile apache2 /usr/{bin,sbin}/apache2 flags=(attach_disconnected) {
  8.   # This profile is completely permissive.
  9.   # It is designed to target specific applications using mod_apparmor,
  10.   # hats, and the apache2.d directory.
  11.   #
  12.   # In order to enable this profile, you must:
  13.   #
  14.   # 0- Stop apache:
  15.   #    sudo service apache2 stop
  16.   #
  17.   # 1- Enable the profile:
  18.   #    sudo aa-enforce /etc/apparmor.d/usr.sbin.apache2
  19.   #
  20.   # 2- Load the mpm_prefork and mod_apparmor modules:
  21.   #    sudo a2dismod <other non-prefork mpm>
  22.   #    sudo a2enmod mpm_prefork
  23.   #    sudo a2enmod apparmor
  24.   #    sudo service apache2 restart
  25.   #
  26.   # 3- Place an appropriate profile containing the desired hat in the
  27.   #    /etc/apparmor.d/apache2.d directory.  Such profiles must include
  28.   #    the "apache2-common" abstraction:
  29.   #
  30.   #    ^example.com {
  31.   #        include <abstractions/apache2-common>
  32.   #        /var/www/html/             r,
  33.   #        /var/www/html/**           r,
  34.   #        /var/log/apache2/*.log     w,
  35.   #    }
  36.   #
  37.   # 4- Use the "AADefaultHatName" apache configuration option to specify a
  38.   #    hat to be used for a given apache virtualhost or "AAHatName" for
  39.   #    a given apache directory or location directive:
  40.   #
  41.   #    <VirtualHost example.com:80>
  42.   #        <IfModule mod_apparmor.c>
  43.   #            AADefaultHatName example.com
  44.   #        </IfModule>
  45.   #        ...
  46.   #    </VirtualHost>
  47.   #
  48.   #
  49.   # There is an example profile for phpsysinfo included in the
  50.   # apparmor-profiles package. To try it:
  51.   #
  52.   # 1- Install the phpsysinfo and the apparmor-profiles packages:
  53.   #    sudo apt-get install phpsysinfo apparmor-profiles
  54.   #
  55.   # 2- Enable the main apache2 profile
  56.   #    sudo aa-enforce /etc/apparmor.d/usr.sbin.apache2
  57.   #
  58.   # 3- Configure apache with the following (or similar):
  59.   #    Alias /phpsysinfo /usr/share/phpsysinfo
  60.   #    <Location /phpsysinfo>
  61.   #        <IfModule mod_apparmor.c>
  62.   #          AAHatName phpsysinfo
  63.   #        </IfModule>
  64.   #
  65.   #        # adjust as necessary:
  66.   #        Options None
  67.   #        Require local
  68.   #        Require ip 192.168.0.0/16
  69.   #    </Location>
  70.   #
  72.   include <abstractions/base>
  73.   include <abstractions/nameservice>
  75.   # Send signals to all hats.
  76.   signal (send) peer=@{profile_name}//*,
  78.   capability dac_override,
  79.   capability kill,
  80.   capability net_bind_service,
  81.   capability setgid,
  82.   capability setuid,
  83.   capability sys_tty_config,
  85.   / rw,
  86.   /** mrwlkix,
  89.   ^DEFAULT_URI flags=(attach_disconnected) {
  90.     include <abstractions/base>
  91.     include <abstractions/apache2-common>
  93.     / rw,
  94.     /** mrwlkix,
  95.   }
  97.   ^HANDLING_UNTRUSTED_INPUT flags=(attach_disconnected) {
  98.     include <abstractions/apache2-common>
  100.     / rw,
  101.     /** mrwlkix,
  102.   }
  104.   # This directory contains web application
  105.   # package-specific apparmor files.
  107.   include <apache2.d>
  109.   # Site-specific additions and overrides. See local/README for details.
  110.   include if exists <local/usr.sbin.apache2>
  111. }