Chapter 5. Profiling Your Web Applications Using ChangeHat Apache
Prev Novell AppArmor 2.0 Administration Guide Next

Chapter 5. Profiling Your Web Applications Using ChangeHat Apache

Contents

5.1. Apache ChangeHat
5.2. Apache Configuration for mod-apparmor

A Novell® AppArmor profile represents security policy for an individual program instance or process. It applies to an executable program, but if a portion of the program needs different access permissions than other portions, the program can “change hats” to use a different security context, distinctive from the access of the main program. This is known as a hat or subprofile.

ChangeHat enables programs to change to or from a hat within a Novell AppArmor profile. It enables you to define security at a finer level than the process.

This feature requires that each application be made “changehat aware”, meaning that it is modified to make a request to the Novell AppArmor module to switch security domains at arbitrary times during the application execution.

A profile can have an arbitrary number of subprofiles, but there are only two levels: a subprofile cannot have further sub-subprofiles. A subprofile is written as a separate profile and named as the containing profile followed by the subprofile name, separated by a ^. Subprofiles must be stored in the same file as the parent profile.

[Note]Note

For more information see the change_hat man page.

5.1. Apache ChangeHat

Novell AppArmor provides a mod-apparmor module for the Apache program. The mod-apparmor module works on your SUSE Linux to make the Apache web server become “ChangeHat aware.” It is installed if Apache is on your system.

When Apache is ChangeHat-aware, it checks for the following customized Novell AppArmor security profiles in the order given for every URI request that it receives.

  • URI-specific hat (for example, ^phpsysinfo-dev/templates/classic/images/bar_left.gif)

  • DEFAULT_URI

  • HANDLING_UNTRUSTED_INPUT

If you have the required Apache 2 on your system, the mod-apparmor module is automatically installed with Novell AppArmor as well as added to the Apache configuration. Apache 1.3 is not supported.

[Note]Note

If you install mod-apparmor without Novell AppArmor, you need to make sure the Apache load module has a command in the config file that loads the mod-apparmor module by adding the following line to your Apache configuration file: 

LoadModule change_hat_module modules/mod_change_hat.so

5.1.1. Tools for Managing ChangeHat-Aware Applications

As with most of the Novell AppArmor tools, you can use two methods for managing ChangeHat, YaST or the command line interface. Manage ChangeHat-aware applications much more flexibly at the command line, but the process is also more complicated. Both methods allow you to manage the hats for your application and populate them with profile entries.

In the following steps, we walk you through a demo that adds hats to an Apache profile using YaST. In the Add Profile Wizard, the Novell AppArmor profiling utilities prompt you to create new hats for distinct URI requests. Choosing to create a new hat allows you to create individual profiles for each URI. This allows you to create very tight rules for each request.

If the URI that is processed does not represent significant processing or otherwise does not represent a significant security risk, you may safely select Use Default Hat to process this URI in the default hat, which is the default security profile.

In the demo, we create a new hat for the URI phpsysinfo-dev and its subsequent accesses. Using the profiling utilities, we delegate what is added to this new hat. The resulting hat becomes a tight-security container that encompasses all the processing on the server that occurs when the phpsysinfo-dev URI is passed to the Apache Web server.

In this demo, we generate a profile for the application phpsysinfo (refer to http://phpsysinfo.sourceforge.net for more information). The phpsysinfo-dev package is assumed to be installed under /srv/www/htdocs/phpsysinfo-dev/ in a clean (new) install of Novell AppArmor.

  1. Once phpsysinfo-dev is installed, you are ready to add hats to the Apache profile. From the Novell AppArmor GUI, select Add Profile Wizard.

    Add Profile Wizard

  2. In Profile to Add, enter httpd2-prefork.

  3. Click Create Profile. The AppArmor Profiling Wizard window opens.

    AppArmor Profiling Wizard

  4. Restart Apache by entering rcapache2 restart in a terminal window.

    [Note]Note

    Restart any program you are profiling at this point.

  5. Open http://localhost/phpsysinfo-dev/ in a Web browser window. The browser window should display network usage and system information.

    [Note]Note

    To ensure that this request is processed by the server and you do not review cached data in your browser, you should refresh the page. To do this, click the browser Refresh button to make sure that Apache processes the request for the phpsysinfo-dev URI.

  6. Click Scan System Log for Entries to Add to Profiles. Novell AppArmor launches the logprof tool, which scans the all the information learned in the previous step. It begins to prompt you with profile questions.

  7. In our demo, logprof first prompts us with Add Requested Hat or Use Default Hat because it noticed that a URI was accessed phpsysinfo-dev. Select Add Requested Hat.

    AppArmor Profile Wizard: Add requested hat

  8. Click Allow.

    Choosing Add Requested Hat in the previous step creates a new hat in the profile and specifies that subsequent questions about the script's actions are added to the newly created hat rather than the default hat for this application.

    In the next screen, Novell AppArmor displays an external program that the script executed. You can specify that the program should run confined by the phpsysinfo-dev hat (choose Inherit), confined by a separate profile (choose Profile), or that it should run unconfined or without any security profile (choose Unconfined). For the case of the Profile option, a new profile is created for the program if one does not already exist.

    [Note]Note

    Selecting Unconfined can create a significant security hole and should be done with caution.

    AppArmor Profile Wizard: Inherit

    1. Select Inherit for the /bin/bash path. This adds /bin/bash/ (accessed by Apache) to the phpsysinfo-dev hat profile with the necessary permissions.

    2. Click Allow.

  9. The remaining questions prompt you to generate new hats and add entries to your profile and its hats. The process of adding entries to profiles is covered in detail in the section Section 3.3.1, “Adding a Profile Using the Wizard” (↑Novell AppArmor 2.0 Administration Guide).

    When all profiling questions are answered, click Finish to save your changes and exit the wizard.

The following is an example of what a phpsyinfo-dev hat might resemble.

Example 5.1. Example phpsysinfo-dev Hat

  ^phpsysinfo {
  #include <program-chunks/base-files>
    /bin/df                               ix,
    /bin/bash                             ix,
    /dev/tty                              rw,
    /etc/SuSE-release                     r,
    /etc/fstab                            r,
    /etc/hosts                            r,
    /etc/mtab                             r,
    /proc/**                              r,
    /sbin/lspci                           ix,
    /srv/www/htdocs/sysinfo/**            r,
    /sys/bus/pci/devices                  r,
    /sys/devices/**                       r,
    /usr/bin/who                          ix,
    /usr/share/pci.ids                    r,
    /var/log/apache2/{access,error}_log   w,
    /var/run/utmp                         r,
  }
[Note]Note

The profile, ^phpsysinfo-dev, is only valid in the context of a process running under the parent profile httpd2-prefork.

5.1.2. Adding Hats and Entries to Hats

When you use the Edit Profile dialog (for instructions, refer to Section 3.3.3, “Editing a Profile” (↑Novell AppArmor 2.0 Administration Guide)) or when you add a new profile using Manually Add Novell AppArmor Profile (for instructions, refer to Section 3.3.2, “Manually Adding a Profile” (↑Novell AppArmor 2.0 Administration Guide)), you are given the option of adding hats (subprofiles) to your Novell AppArmor profiles.

You can add a ChangeHat subprofile from the AppArmor Profile Dialog window.

AppArmor profile dialog

  1. From the AppArmor Profile Dialog window, click Add Entry then select Hat.The Enter Hat Name dialog box opens:

    Enter hat name

  2. Enter the name of the hat to add to the Novell AppArmor profile. The name is the URI that, when accessed, receives the permissions set in the hat.

  3. Click Create Hat. You are returned to the AppArmor Profile Dialog screen.

  4. After adding the new hat, click Done.

[Note]Note

For an example of an Novell AppArmor profile, refer to Example 5.1, “Example phpsysinfo-dev Hat” (↑Novell AppArmor 2.0 Administration Guide).

Prev Up Next
4.5. Maintaining Your Security Profiles Home 5.2. Apache Configuration for mod-apparmor