5.2. Apache Configuration for mod-apparmor

Apache is configured by placing directives in plain text configuration files. The main configuration file is usually httpd.conf. When you compile Apache, you can indicate the location of this file. Directives can be placed in any of these configuration files to alter the way Apache behaves. When you make changes to the main configuration files, you need to start or restart Apache so the changes are recognized.

5.2.1. Virtual Host Directives

Virtual host directives control whether requests that contain trailing pathname information, following an actual filename (or nonexistent file in an existing directory), is accepted or rejected. For Apache documentation on virtual host directives, refer to http://httpd.apache.org/docs-2.0/mod/core.html#virtualhost

The change_hat specific configuration keyword is ImmDefaultHatName and is used similarly to ImmHatName, for example, ImmDefaultHatName My_Funky_Default_Hat.

The configuration option is actually based on a server directive, which enables you to use the keyword outside of other options, thereby setting it for the default server. Virtual hosts are considered internally within Apache to be separate “servers,” so you can set a default hat name for the default server, as well as one for each virtual host, if desired.

When a request comes in, the following steps reflect the sequence in which mod-apparmor attempts to apply hats.

  1. A location or directory hat as specified by the ImmHatName keyword.

  2. A hat named by the entire URI path.

  3. A default server hat as specified by the ImmDefaultHatName keyword.

  4. DEFAULT_URI (and if none of those exist, it goes back to the “parent” Apache hat).

5.2.2. Location and Directory Directives

Location and directory directives specify hat names in the program configuration file so the program calls the hat regarding its security. For Apache, you can find documentation about the location and directory directives at http://httpd.apache.org/docs-2.0/sections.html.

The location directive example below specifies that, for a given location, mod-apparmor should use a specific hat:

<Location /foo/>
      ImmHatName MY_HAT_NAME
</Location>

This tries to use MY_HAT_NAME for any URI beginning with /foo/ (/foo/, /foo/bar, /foo/cgi/path/blah_blah/blah, etc.).

The directory directive works similarly to the location directive, except it refers to a pathname in the file system, in the following example:

<Directory "/srv/www/www.immunix.com/docs"> # Note lack of trailing slash
      ImmHatName immunix.com
</Directory>

Example:  The program phpsysinfo is used to illustrate a location directive in the following example. The tarball can be downloaded from http://phpsysinfo.sourceforge.com.

  1. After downloading the tarball, install it into /srv/www/htdocs/sysinfo/.

  2. Create /etc/apache2/conf.d/sysinfo.conf and add the following text to it:

    <Location "/sysinfo">
              ImmHatName sysinfo
    </Location>

    The following hat should then work for phpsyinfo:

       ^sysinfo {
      #include <program-chunks/base-files>
        /bin/df                               ix,
        /bin/bash                             ix,
        /dev/tty                              rw,
        /etc/SuSE-release                     r,
        /etc/fstab                            r,
        /etc/hosts                            r,
        /etc/mtab                             r,
        /proc/**                              r,
        /sbin/lspci                           ix,
        /srv/www/htdocs/sysinfo/**            r,
        /sys/bus/pci/devices                  r,
        /sys/devices/**                       r,
        /usr/bin/who                          ix,
        /usr/share/pci.ids                    r,
        /var/log/apache2/{access,error}_log   w,
        /var/run/utmp                         r,
      }
    
  3. Reload Novell AppArmor profiles by entering rcapparmor restart at a terminal window as root.

  4. Restart Apache by entering rcapache2 restart at a terminal window while logged in as root.

  5. Enter http://hostname/sysinfo/ into a browser to receive the system information that phpsysinfo delivers.

  6. Track down configuration errors by going to /var/log/syslog or running dmesg and looking for any rejections in the output.