On Wed, Jun 18, 2014 at 05:44:03PM -0700, Steve Beattie wrote: > Allow apache hats to receive signals from unconfined. > > [I'm on the fence about this. On the one hand, unconfined should be able > to kill thing in hats. On the other, using apache2ctl/apachectl is > preferred to shutdown apache, and it uses the apache binary itself (and > the profile it runs under) to kill its children.]
Without this, a sysadmin or automated monitoring tools attempting to send signals to Apache will fail by default. For example, "pkill -U www-data" wouldn't work. This is, I think, extremely unexpected. Also, manipulating the system from "unconfined" has been a long-standing "not protected" state in AppArmor (e.g. setting up hardlinks that bypass path rules), so it seems strange to start trying to protect a profile from "unconfined" only for signals. -Kees > > --- > profiles/apparmor.d/abstractions/apache2-common | 2 ++ > 1 file changed, 2 insertions(+) > > Index: b/profiles/apparmor.d/abstractions/apache2-common > =================================================================== > --- a/profiles/apparmor.d/abstractions/apache2-common > +++ b/profiles/apparmor.d/abstractions/apache2-common > @@ -4,6 +4,8 @@ > > #include <abstractions/nameservice> > > + # Allow unconfined processes to send us signals by default > + signal (receive) peer=unconfined, > # Allow apache to send us signals by default > signal (receive) peer=/usr/sbin/apache2, > # Allow us to signal ourselves > > > -- > AppArmor mailing list > AppArmor@lists.ubuntu.com > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/apparmor -- Kees Cook -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor