AppArmor profiles for Apache services

Registered by Kees Cook on 2009-04-27

This is to discuss what is needed to build and test the AppArmor profiles needed to confine specific Apache services, potentially including mediawiki, moin, and moodle.

Blueprint information

Status:
Started
Approver:
None
Priority:
Undefined
Drafter:
Marc Deslauriers
Direction:
Needs approval
Assignee:
None
Definition:
Approved
Series goal:
None
Implementation:
Started
Milestone target:
None
Started by
Marc Deslauriers on 2009-08-04

Related branches

Sprints

Whiteboard

* Introduction
 * This is to discuss what is needed to build and test the AppArmor profiles needed to confine specific Apache services, potentially including mediawiki, moin, and moodle.

* Confinement
 * Confine apache, but not services: not worthwhile
 * Confine apache (perhaps) and confine services
 * libapache2-mod-apparmor allows for change hat in apache
 * hat confinement is not as strong as profile confinement (ie if the process is subverted, and can access memory and break out of the hat, then in the union set of apache and all the other hats. This is very much protected via compiler hardening).
 * Upgrades: https://wiki.ubuntu.com/ApparmorProfileMigration
 * apache modules? can confine by location (eg http://localhost/status) as opposed to directory only

* Need to:
 * add profile for apache that allows adding additional profiles via packaging
  * what to do with unknown applications? probably leave unconfined
  * permissive by default
  * apache.d directory where applications drop stuff
  * blacklist certain files and give common examples commented out
   * give a static-only example, exec cgi example
   * basic PHP example
   * virtual hosting example
 * define services to confine
  * drupal
  * wordpress
  * moin P1
  * mediawiki
  * moodle P1.5
  * forum applications (phpbb3?)
  * trac

* Flow
 * when a request comes in and mapped to a URI with apache, apparmor will first try a hat name configuration, then a hat that is the entire URI, then a per server hat (AA_DEFAULT_HATNAME), then DEFAULT_URI, then the apache profile

 * when breaking up into uri and component arguents, it is in UNTRUSTED_INPUT
  * apache -> untrusted -> (named hat (AA_hatname) -> entire uri -> AA_DEFAULT_HATNAME (per server directive) -> DEFAULT_URI) -> apache
  * tip, pick either location or directory and stick with it. If mixing and matching need to test heavily

* apache modes
 * prefork (process, php) is only AA-protected mode
 * worker (threaded, fastcgi->moin)

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.