Configuring Apache for mod_apparmor

Apache is configured by placing directives in plain text configuration files. The main configuration file is usually httpd.conf. When you compile Apache, you can indicate the location of this file. Directives can be placed in any of these configuration files to alter the way Apache behaves. When you make changes to the main configuration files, you need to start or restart Apache so the changes are recognized.

Virtual Host Directives

Virtual host directives control whether requests that contain trailing pathname information following an actual filename or that refer to a nonexistent file in an existing directory are accepted or rejected. For Apache documentation on virtual host directives, refer to http://httpd.apache.org/docs-2.2/mod/core.html#virtualhost.

The ChangeHat-specific configuration keyword is AADefaultHatName. It is used similarly to AAHatName, for example, AADefaultHatName My_Funky_Default_Hat.

The configuration option is actually based on a server directive, which enables you to use the keyword outside of other options, setting it for the default server. Virtual hosts are considered internally within Apache to be separate “servers,” so you can set a default hat name for the default server as well as one for each virtual host, if desired.

When a request comes in, the following steps reflect the sequence in which mod_apparmor attempts to apply hats.

  1. A location or directory hat as specified by the AAHatName keyword

  2. A hat named by the entire URI path

  3. A default server hat as specified by the AADefaultHatName keyword

  4. DEFAULT_URI (if none of those exist, it goes back to the “parent” Apache hat)

Location and Directory Directives

Location and directory directives specify hat names in the program configuration file so the program calls the hat regarding its security. For Apache, you can find documentation about the location and directory directives at http://httpd.apache.org/docs-2.2/sections.html.

The location directive example below specifies that, for a given location, mod_apparmor should use a specific hat:

<Location /foo/> AAHatName MY_HAT_NAME </Location>
   

This tries to use MY_HAT_NAME for any URI beginning with /foo/ (/foo/, /foo/bar, /foo/cgi/path/blah_blah/blah, etc.).

The directory directive works similarly to the location directive, except it refers to a path in the file system as in the following example:

<Directory "/srv/www/www.immunix.com/docs"> 
  # Note lack of trailing slash 
  AAHatName immunix.com 
</Directory>

Example:  The program phpsysinfo is used to illustrate a location directive in the following example. The tarball can be downloaded from http://phpsysinfo.sourceforge.com.

  1. After downloading the tarball, install it into /srv/www/htdocs/phpsysinfo.

  2. Create /etc/apache2/conf.d/phpsysinfo.conf and add the following text to it:

    <Location "/phpsysinfo"> 
      AAHatName phpsysinfo
    </Location>

    The following hat should then work for phpsysinfo:

    /usr/sbin/httpd2-prefork {
      ...
      ^phpsysinfo {
        #include <abstractions/bash>
        #include <abstractions/nameservice>
    
        /bin/basename                        ixr,
        /bin/bash                            ixr,
        /bin/df                              ixr,
        /bin/grep                            ixr,
        /bin/mount                           Ux,
        /bin/sed                             ixr,
        /dev/bus/usb/                        r,
        /dev/bus/usb/**                      r,
        /dev/null                            w,
        /dev/tty                             rw,
        /dev/urandom                         r,
        /etc/SuSE-release                    r,
        /etc/ld.so.cache                     r,
        /etc/lsb-release                     r,
        /etc/lsb-release.d/                  r,
        /lib/ld-2.6.1.so                     ixr,
        /proc/**                             r,
        /sbin/lspci                          ixr,
        /srv/www/htdocs/phpsysinfo/**        r,
        /sys/bus/pci/**                      r,
        /sys/bus/scsi/devices/               r,
        /sys/devices/**                      r,
        /usr/bin/cut                         ixr,
        /usr/bin/getopt                      ixr,
        /usr/bin/head                        ixr,
        /usr/bin/lsb_release                 ixr,
        /usr/bin/lsscsi                      ixr,
        /usr/bin/tr                          ixr,
        /usr/bin/who                         ixr,
        /usr/lib/lib*so*                     mr,
        /usr/lib/locale/**                   r,
        /usr/sbin/lsusb                      ixr,
        /usr/share/locale/**                 r,
        /usr/share/pci.ids                   r,
        /usr/share/usb.ids                   r,
        /var/log/apache2/access_log          w,
        /var/run/utmp                        kr,
       }
    }
         
  3. Reload Novell AppArmor profiles by entering rcapparmor restart at a terminal window as root.

  4. Restart Apache by entering rcapache2 restart at a terminal window as root.

  5. Enter http://hostname/phpsysinfo/ into a browser to receive the system information that phpsysinfo delivers.

  6. Locate configuration errors by going to /var/log/audit/audit.log or running dmesg and looking for any rejections in the output.