mod_apparmor in 2.8.3 always used URL-based hats

Bug #1322778 reported by Christian Boltz on 2014-05-23
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
Status tracked in Master
2.8
High
Steve Beattie
Master
High
Steve Beattie

Bug Description

I have lots of <VirtualHost *:80> with AADefaultHatName vhost_whatever

However, starting with mod_apparmor 2.8.3 a URL-based hat is used for all requests, the AADefaultHatName is ignored.

from #apparmor
[01:23:14] <cboltz> I could even argue that the URL-based hat allows to "steal" permissions
[01:23:30] <cboltz> imagine a vhost has a /foo.php
[01:23:52] <cboltz> now someone could add another /foo.php to a different vhost which would get the same hat as the first one
[01:24:09] <cboltz> (the URL-based hats don't contain any hints about which vhost they use)
[01:26:20] <sbeattie> right. You'd like the URL based hatname to incorporate some sort of representation of the vhost
[01:27:01] <cboltz> that might be a solution, yes
[01:27:05] <sbeattie> cboltz: can you open a bug, please?
[01:27:16] <cboltz> yes
[01:27:33] <cboltz> however I'm not sure what the best solution is
[01:27:48] <sbeattie> cboltz: well, I think I'm almost convinced that the ordering should be AAHatName, AADefaultHatName, vhost+URI, URI, DEFAULT_HAT.
[01:28:21] <sbeattie> but not entirely sure.
[01:28:32] <cboltz> yes, looks like a good order
[01:29:41] <cboltz> maybe s/vhost+URI/full path/
[01:29:56] <cboltz> (how would that work with "virtual" mod_rewrite-based "filenames"?)

A patch for the 2.8 branch that prefers AADefaultHatName over the URL-based hat would be more than welcome ;-)

Steve Beattie (sbeattie) on 2014-06-12
no longer affects: apparmor/2.9
Steve Beattie (sbeattie) wrote :

Fix committed in lp:apparmor rev 2550 for trunk. Apparmor 2.8 version of the patch is still awaiting review upstream.

Steve Beattie (sbeattie) wrote :

Fix committed in lp:apparmor/2.8 rev 2130.

Christian Boltz (cboltz) wrote :

2.8.4 was released some days ago.

Changed in apparmor:
status: Fix Committed → Fix Released
Steve Beattie (sbeattie) wrote :

Apparmor 2.9.0 has been released; closing.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers