grsecurity forums

Here is an apache ACL we developed that we're contributing to everyone, hope you guys find it useful. I'm curious to find out the community's ideas on the possibility of confining web applications (php perl etc..) applications on a per virtualhost bases dynamically. I'm really looking forward to your comments and contribution to build a better policy and fortunately we could intergrate this as a default policy in the next gradm release .

Sincerely,

CookieMonster.

Code: Select all

subject /usr/sbin/apache2 op {
    /usr/share r
    /etc r
    /etc/grsec h
    /etc/ld.so.cache r
    /tmp rwxcld
    /lib rx
    /usr/lib rx
    /var/lib/php5/ rxwcd
    /var/log/apache2 a
    /var/log/apache a
    /var/run/apache.pid wclrd
    /var/run/apache2.pid wclrd
    /var/run/apache2 crwxdl
    /var/www rxwlcd
    /proc r
    /proc/meminfo r
    /proc/filesystems  r
    /proc/sys/kernel r
    /dev/null rw
    /dev/urandom rx
    /bin/dash rx
    /usr/bin/cronolog rx
    /usr/sbin/apache2 rx
    /usr/sbin/sendmail rx
    /usr/sbin/postdrop rx
    /
    -CAP_ALL
    +CAP_DAC_OVERRIDE
    +CAP_KILL
    +CAP_SETGID
    +CAP_SETUID
    +CAP_NET_BIND_SERVICE
    +CAP_CHOWN
    RES_CRASH 1 10m
    connect 0.0.0.0:3306 stream tcp ip
    connect 0.0.0.0/0:80 stream tcp ip
    connect 0.0.0.0/0:53 dgram udp
    bind 0.0.0.0/0:80 stream tcp
    bind 0.0.0.0/0:443 stream tcp
}
subject /usr/sbin/apache2:/bin/dash {
    / r
    /usr/bin/cronolog x
    /usr/sbin/sendmail x
    /usr/sbin/postdrop x
    /usr/bin h
    /bin h
    /usr/sbin h
    /sbin h
    /etc/grsec h
    connect disabled
    bind disabled
    -CAP_ALL
}

subject /usr/sbin/apache2:/bin/dash:/usr/bin/cronolog {
    / h
    /mnt/log rwcdl
    connect disabled
    bind disabled
    -CAP_ALL
}

subject /usr/sbin/apache2:/bin/dash:/usr/sbin/sendmail {
    / rwxlcd
    /etc/grsec h
    connect 0.0.0.0/0:25 stream ip tcp
    connect 0.0.0.0/0:0 dgram ip tcp
    bind 0.0.0.0/0:0 dgram ip
    -CAP_ALL
}

subject /usr/sbin/apache2:/usr/sbin/sendmail {
     / rwxlcd
    /usr/sbin/postdrop x
    /usr/bin h
    /bin h
    /usr/sbin h
    /sbin h
    /etc/grsec h
    connect disabled
    bind disabled
    -CAP_ALL
}

subject /usr/sbin/apache2:/usr/sbin/sendmail:/usr/sbin/postdrop {
     / rwxlcd
    /usr/bin h
    /bin h
    /usr/sbin h
    /sbin h
    /etc/grsec h
    connect disabled
    bind disabled
    -CAP_ALL
}

The
/ rwxlcd
objects are quite dangerous, despite only appearing in nested subjects. I'd recommend using subject-based learning on these subjects to tighten them down some.
Also, I don't know about the layout of /var/lib/php5, but:
/var/lib/php5/ rxwcd
is also dangerous.
/var/run/apache2 crwxdl
is execute needed there?

Wherever possible, the existence of writable and executable paths should be avoided.

-Brad