A NovellĀ® AppArmor profile represents the security policy for an individual program
instance or process. It applies to an executable program, but if a portion of
the program needs different access permissions than other portions, the
program can change hats
to use a different security context,
distinctive from the access of the main program. This is known as a
hat or subprofile.
ChangeHat enables programs to change to or from a hat
within a Novell AppArmor profile. It enables you to define security at a finer level
than the process.
This feature requires that each application be made ChangeHat
aware
meaning that it is modified to make a request to the Novell AppArmor
module to switch security domains at arbitrary times during the application
execution. Two examples for ChangeHat-aware applications are the Apache Web
server and Tomcat.
A profile can have an arbitrary number of subprofiles, but there are only two levels: a subprofile cannot have further sub-subprofiles. A subprofile is written as a separate profile and named as the containing profile followed by the subprofile name, separated by a ^. Subprofiles must be stored in the same file as the parent profile.
Note that the security of hats is considerably weaker than that of full profiles. That is to say, if an attacker can find just the right kind of bug in a program, they may be able to escape from a hat into the containing profile. This is because the security of hats is determined by a secret key handled by the containing process, and the code running in the hat must not have access to the key. Thus change_hat is most useful in conjunction with application servers, where a language interpreter (such as PERL, PHP, or Java) is isolating pieces of code such that they do not have direct access to the memory of the containing process.
The rest of this chapter describes using change_hat in conjunction with Apache, to contain web server components run using mod_perl and mod_php. Similar approaches can be used with any application server by providing an application module similar to the mod_apparmor described next in Section 5.2.2, Location and Directory Directives.
NOTE: For More Information
For more information, see the change_hat man page.