/etc/apparmor.d/usr.sbin.apache2 is in libapache2-mod-apparmor 2.11.0-3+deb9u2.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 | # Author: Marc Deslauriers <marc.deslauriers@ubuntu.com>
#include <tunables/global>
/usr/sbin/apache2 flags=(complain) {
# This profile is completely permissive.
# It is designed to target specific applications using mod_apparmor,
# hats, and the apache2.d directory.
#
# In order to enable this profile, you must:
#
# 0- Stop apache:
# sudo service apache2 stop
#
# 1- Enable the profile:
# sudo aa-enforce /etc/apparmor.d/usr.sbin.apache2
#
# 2- Load the mpm_prefork and mod_apparmor modules:
# sudo a2dismod <other non-prefork mpm>
# sudo a2enmod mpm_prefork
# sudo a2enmod apparmor
# sudo service apache2 restart
#
# 3- Place an appropriate profile containing the desired hat in the
# /etc/apparmor.d/apache2.d directory. Such profiles must include
# the "apache2-common" abstraction:
#
# ^example.com flags=(complain) {
# #include <abstractions/apache2-common>
# /var/www/html/ r,
# /var/www/html/** r,
# /var/log/apache2/*.log w,
# }
#
# 4- Use the "AADefaultHatName" apache configuration option to specify a
# hat to be used for a given apache virtualhost or "AAHatName" for
# a given apache directory or location directive:
#
# <VirtualHost example.com:80>
# <IfModule mod_apparmor.c>
# AADefaultHatName example.com
# </IfModule>
# ...
# </VirtualHost>
#
#
# There is an example profile for phpsysinfo included in the
# apparmor-profiles package. To try it:
#
# 1- Install the phpsysinfo and the apparmor-profiles packages:
# sudo apt-get install phpsysinfo apparmor-profiles
#
# 2- Enable the main apache2 profile
# sudo aa-enforce /etc/apparmor.d/usr.sbin.apache2
#
# 3- Configure apache with the following (or similar):
# Alias /phpsysinfo /usr/share/phpsysinfo
# <Location /phpsysinfo>
# <IfModule mod_apparmor.c>
# AAHatName phpsysinfo
# </IfModule>
#
# # adjust as necessary:
# Options None
# Require local
# Require ip 192.168.0.0/16
# </Location>
#
#include <abstractions/base>
#include <abstractions/nameservice>
# Send signals to all hats.
signal (send) peer=@{profile_name}//*,
capability dac_override,
capability kill,
capability net_bind_service,
capability setgid,
capability setuid,
capability sys_tty_config,
/ rw,
/** mrwlkix,
^DEFAULT_URI flags=(complain) {
#include <abstractions/base>
#include <abstractions/apache2-common>
/ rw,
/** mrwlkix,
}
^HANDLING_UNTRUSTED_INPUT flags=(complain) {
#include <abstractions/apache2-common>
/ rw,
/** mrwlkix,
}
# This directory contains web application
# package-specific apparmor files.
#include <apache2.d>
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.sbin.apache2>
}
|