mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-22 10:07:12 +00:00
Code Issues Releases Wiki Activity
apparmor/changehat/mod_apparmor/mod_apparmor.c

373 lines
11 KiB
C
Raw Permalink Normal View History

as ACKed on IRC, drop the unused $Id$ tags everywhere
2010-12-20 12:29:10 -08:00
/*
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
* Copyright (c) 2004, 2005, 2006 NOVELL (All rights reserved)
*
* The mod_apparmor module is licensed under the terms of the GNU
* Lesser General Public License, version 2.1. Please see the file
* COPYING.LGPL.
*
* mod_apparmor - (apache 2.0.x)
* Author: Steve Beattie <sbeattie@suse.de>
*
* This currently only implements change_hat functionality, but could be
* extended for other stuff we decide to do.
*/
#include "ap_config.h"
#include "httpd.h"
#include "http_config.h"
#include "http_request.h"
#include "http_log.h"
mod_apparmor: fix logging Merge from trunk revno: 2330 The apache2 mod_apparmor module was failing to log debugging messages when the apache loglevel was set to debug or lower (i.e. traceN). This patch fixes it by using ap_log_rerror() (for request specific messages, with the request passed for context) and ap_log_error() (more general messages outside of a request context). Also, the APLOG_USE_MODULE macro is called, to mark the log messages as belonging to the apparmor module, so that the apache 2.4 feature of enabling debug logging for just the apparmor module will work, with an apache configuration entry like: LogLevel apparmor:debug See http://ci.apache.org/projects/httpd/trunk/doxygen/group__APACHE__CORE__LOG.html for specific about the ap_log_*error() and APLOG_USE_MODULE functions and macros, and http://httpd.apache.org/docs/2.4/mod/core.html.en#loglevel for the bits about module specific logging. Patch history: v1: initial version v2: - revert to using ap_log_error with (the 2.4 specific) ap_server_conf outside of a request specific context, as the pool specific ap_log_perror messages weren't being reported. - add compatibility workaround for apache 2.2 v3: keep commented out merge function's log call consistent with the others For 2.8: Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Christian Boltz <apparmor@cboltz.de> (on IRC)
2014-02-14 16:35:21 -08:00
#include "http_main.h"
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
#include "http_protocol.h"
#include "util_filter.h"
#include "apr.h"
#include "apr_strings.h"
#include "apr_lib.h"
From: Jeff Mahoney <jeffm@suse.com> Rip out a little bit of crufty old compatibility code with immunix.h and support directly building with in-tree libapparmor.
2011-02-08 08:18:36 -08:00
#include <apparmor.h>
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
#include <unistd.h>
/* #define DEBUG */
#ifndef __unused
#define __unused __attribute__((unused))
#endif
/* should the following be configurable? */
#define DEFAULT_HAT "HANDLING_UNTRUSTED_INPUT"
#define DEFAULT_URI_HAT "DEFAULT_URI"
mod_apparmor: fix logging Merge from trunk revno: 2330 The apache2 mod_apparmor module was failing to log debugging messages when the apache loglevel was set to debug or lower (i.e. traceN). This patch fixes it by using ap_log_rerror() (for request specific messages, with the request passed for context) and ap_log_error() (more general messages outside of a request context). Also, the APLOG_USE_MODULE macro is called, to mark the log messages as belonging to the apparmor module, so that the apache 2.4 feature of enabling debug logging for just the apparmor module will work, with an apache configuration entry like: LogLevel apparmor:debug See http://ci.apache.org/projects/httpd/trunk/doxygen/group__APACHE__CORE__LOG.html for specific about the ap_log_*error() and APLOG_USE_MODULE functions and macros, and http://httpd.apache.org/docs/2.4/mod/core.html.en#loglevel for the bits about module specific logging. Patch history: v1: initial version v2: - revert to using ap_log_error with (the 2.4 specific) ap_server_conf outside of a request specific context, as the pool specific ap_log_perror messages weren't being reported. - add compatibility workaround for apache 2.2 v3: keep commented out merge function's log call consistent with the others For 2.8: Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Christian Boltz <apparmor@cboltz.de> (on IRC)
2014-02-14 16:35:21 -08:00
/* Compatibility with apache 2.2 */
#if AP_SERVER_MAJORVERSION_NUMBER == 2 && AP_SERVER_MINORVERSION_NUMBER < 3
mod_apparmor: use trace1 loglevel for developer-oriented debug messages Merged from trunk revno: 2331 Apache 2.4 added addition logging levels. This patch converts some of the log messages that are more intended for mod_apparmor development and debugging than for sysadmins configuring mod_apparmor to use trace1 (APLOG_TRACE1) level instead. Since apache 2.2. does not contain this level (or define), we define it back to APLOG_DEBUG. Patch history: v1: initial version v2: mark a couple of additional log messages as trace1 level For 2.8: Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Christian Boltz <apparmor@cboltz.de>
2014-02-14 16:38:04 -08:00
#define APLOG_TRACE1 APLOG_DEBUG
mod_apparmor: fix logging Merge from trunk revno: 2330 The apache2 mod_apparmor module was failing to log debugging messages when the apache loglevel was set to debug or lower (i.e. traceN). This patch fixes it by using ap_log_rerror() (for request specific messages, with the request passed for context) and ap_log_error() (more general messages outside of a request context). Also, the APLOG_USE_MODULE macro is called, to mark the log messages as belonging to the apparmor module, so that the apache 2.4 feature of enabling debug logging for just the apparmor module will work, with an apache configuration entry like: LogLevel apparmor:debug See http://ci.apache.org/projects/httpd/trunk/doxygen/group__APACHE__CORE__LOG.html for specific about the ap_log_*error() and APLOG_USE_MODULE functions and macros, and http://httpd.apache.org/docs/2.4/mod/core.html.en#loglevel for the bits about module specific logging. Patch history: v1: initial version v2: - revert to using ap_log_error with (the 2.4 specific) ap_server_conf outside of a request specific context, as the pool specific ap_log_perror messages weren't being reported. - add compatibility workaround for apache 2.2 v3: keep commented out merge function's log call consistent with the others For 2.8: Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Christian Boltz <apparmor@cboltz.de> (on IRC)
2014-02-14 16:35:21 -08:00
server_rec *ap_server_conf = NULL;
#endif
#ifdef APLOG_USE_MODULE
APLOG_USE_MODULE(apparmor);
#endif
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
module AP_MODULE_DECLARE_DATA apparmor_module;
mod_apparmor: convert change_hat to aa_change_hat() Merge from trunk revno: 2333 mod_apparmor never got converted to use the renamed aa_change_hat() call (there's a compatibility macro in sys/apparmor.h); this patch does that as well as converting the type of the magic_token to long from int. (This patch is somewhat mooted by a later patch in the series to convert to using aa_change_hatv(), but would be a safer candidate for e.g. the 2.8 branch.) For 2.8: Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Christian Boltz <apparmor@cboltz.de>
2014-02-14 16:40:57 -08:00
static unsigned long magic_token = 0;
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
static int inside_default_hat = 0;
typedef struct {
const char * hat_name;
char * path;
} immunix_dir_cfg;
typedef struct {
const char * hat_name;
int is_initialized;
} immunix_srv_cfg;
/* immunix_init() gets invoked in the post_config stage of apache.
* Unfortunately, apache reads its config once when it starts up, then
* it re-reads it when goes into its restart loop, where it starts it's
* children. This means we cannot call change_hat here, as the modules
* memory will be wiped out, and the magic_token will be lost, so apache
* wouldn't be able to change_hat back out. */
static int
immunix_init (apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *s)
{
apr_file_t * file;
apr_size_t size = sizeof (magic_token);
int ret;
ret = apr_file_open (&file, "/dev/urandom", APR_READ, APR_OS_DEFAULT, p);
if (!ret) {
apr_file_read (file, (void *) &magic_token, &size);
apr_file_close (file);
} else {
mod_apparmor: include errno in log messages for failures Merged from trunk revno: 2340 This patch includes the errno in the log messages generated by two different failed aa_change_hat() calls and the failure to open /dev/urandom to get the random token, to further ease failure diagnosis. 2.8 Note: did not apply cleanly, required manual adjustment. For 2.8: Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Christian Boltz <apparmor@cboltz.de>
2014-02-14 16:51:11 -08:00
ap_log_error(APLOG_MARK, APLOG_ERR, errno, ap_server_conf,
"Failed to open /dev/urandom");
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
}
mod_apparmor: use trace1 loglevel for developer-oriented debug messages Merged from trunk revno: 2331 Apache 2.4 added addition logging levels. This patch converts some of the log messages that are more intended for mod_apparmor development and debugging than for sysadmins configuring mod_apparmor to use trace1 (APLOG_TRACE1) level instead. Since apache 2.2. does not contain this level (or define), we define it back to APLOG_DEBUG. Patch history: v1: initial version v2: mark a couple of additional log messages as trace1 level For 2.8: Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Christian Boltz <apparmor@cboltz.de>
2014-02-14 16:38:04 -08:00
ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, ap_server_conf, "Opened /dev/urandom successfully");
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
return OK;
}
/* As each child starts up, we'll change_hat into a default hat, mostly
* to protect ourselves from bugs in parsing network input, but before
* we change_hat to the uri specific hat. */
static void
immunix_child_init (apr_pool_t *p, server_rec *s)
{
int ret;
mod_apparmor: improve initial and exit aa_change_hat call log message Merge from trunk revno: 2334 This patch adds the name of the hat to the log message about the initial aa_change_hat call, just to be explicit about what's happening when debugging and changes the formatting slightly of the exiting change_hat log message. Patch history: v1: initial version v2: tweak output of exit trace message For 2.8: Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Christian Boltz <apparmor@cboltz.de>
2014-02-14 16:42:12 -08:00
ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, ap_server_conf,
"init: calling change_hat with '%s'", DEFAULT_HAT);
mod_apparmor: convert change_hat to aa_change_hat() Merge from trunk revno: 2333 mod_apparmor never got converted to use the renamed aa_change_hat() call (there's a compatibility macro in sys/apparmor.h); this patch does that as well as converting the type of the magic_token to long from int. (This patch is somewhat mooted by a later patch in the series to convert to using aa_change_hatv(), but would be a safer candidate for e.g. the 2.8 branch.) For 2.8: Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Christian Boltz <apparmor@cboltz.de>
2014-02-14 16:40:57 -08:00
ret = aa_change_hat(DEFAULT_HAT, magic_token);
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
if (ret < 0) {
mod_apparmor: convert change_hat to aa_change_hat() Merge from trunk revno: 2333 mod_apparmor never got converted to use the renamed aa_change_hat() call (there's a compatibility macro in sys/apparmor.h); this patch does that as well as converting the type of the magic_token to long from int. (This patch is somewhat mooted by a later patch in the series to convert to using aa_change_hatv(), but would be a safer candidate for e.g. the 2.8 branch.) For 2.8: Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Christian Boltz <apparmor@cboltz.de>
2014-02-14 16:40:57 -08:00
aa_change_hat(NULL, magic_token);
mod_apparmor: include errno in log messages for failures Merged from trunk revno: 2340 This patch includes the errno in the log messages generated by two different failed aa_change_hat() calls and the failure to open /dev/urandom to get the random token, to further ease failure diagnosis. 2.8 Note: did not apply cleanly, required manual adjustment. For 2.8: Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Christian Boltz <apparmor@cboltz.de>
2014-02-14 16:51:11 -08:00
ap_log_error(APLOG_MARK, APLOG_ERR, errno, ap_server_conf,
"Failed to change_hat to '%s'", DEFAULT_HAT);
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
} else {
inside_default_hat = 1;
}
}
static void
mod_apparmor: convert debug_dump_uri to use trace loglevel Merge from trunk revno: 2332 This patch converts the debug_dump_uri() function to use the trace loglevels and enable it all the time, rather than just when DEBUG is defined at compile time. For 2.8: Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Christian Boltz <apparmor@cboltz.de>
2014-02-14 16:39:21 -08:00
debug_dump_uri(request_rec *r)
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
{
mod_apparmor: convert debug_dump_uri to use trace loglevel Merge from trunk revno: 2332 This patch converts the debug_dump_uri() function to use the trace loglevels and enable it all the time, rather than just when DEBUG is defined at compile time. For 2.8: Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Christian Boltz <apparmor@cboltz.de>
2014-02-14 16:39:21 -08:00
apr_uri_t *uri = &r->parsed_uri;
if (uri)
ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, "Dumping uri info "
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
"scheme='%s' host='%s' path='%s' query='%s' fragment='%s'",
uri->scheme, uri->hostname, uri->path, uri->query,
uri->fragment);
else
mod_apparmor: convert debug_dump_uri to use trace loglevel Merge from trunk revno: 2332 This patch converts the debug_dump_uri() function to use the trace loglevels and enable it all the time, rather than just when DEBUG is defined at compile time. For 2.8: Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Christian Boltz <apparmor@cboltz.de>
2014-02-14 16:39:21 -08:00
ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, "Asked to dump NULL uri");
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
}
mod_apparmor: convert debug_dump_uri to use trace loglevel Merge from trunk revno: 2332 This patch converts the debug_dump_uri() function to use the trace loglevels and enable it all the time, rather than just when DEBUG is defined at compile time. For 2.8: Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Christian Boltz <apparmor@cboltz.de>
2014-02-14 16:39:21 -08:00
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
/*
immunix_enter_hat will attempt to change_hat in the following order:
(1) to a hatname in a location directive
(2) to the uri
(3) to a per-server default
(4) to DEFAULT_URI
(5) back to the parent profile
*/
static int
immunix_enter_hat (request_rec *r)
{
int sd_ret = -1;
immunix_dir_cfg * dcfg = (immunix_dir_cfg *)
ap_get_module_config (r->per_dir_config, &apparmor_module);
immunix_srv_cfg * scfg = (immunix_srv_cfg *)
ap_get_module_config (r->server->module_config, &apparmor_module);
mod_apparmor: convert debug_dump_uri to use trace loglevel Merge from trunk revno: 2332 This patch converts the debug_dump_uri() function to use the trace loglevels and enable it all the time, rather than just when DEBUG is defined at compile time. For 2.8: Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Christian Boltz <apparmor@cboltz.de>
2014-02-14 16:39:21 -08:00
debug_dump_uri(r);
mod_apparmor: use trace1 loglevel for developer-oriented debug messages Merged from trunk revno: 2331 Apache 2.4 added addition logging levels. This patch converts some of the log messages that are more intended for mod_apparmor development and debugging than for sysadmins configuring mod_apparmor to use trace1 (APLOG_TRACE1) level instead. Since apache 2.2. does not contain this level (or define), we define it back to APLOG_DEBUG. Patch history: v1: initial version v2: mark a couple of additional log messages as trace1 level For 2.8: Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Christian Boltz <apparmor@cboltz.de>
2014-02-14 16:38:04 -08:00
ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, "in immunix_enter_hat (%s) n:0x%lx p:0x%lx main:0x%lx",
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
dcfg->path, (unsigned long) r->next, (unsigned long) r->prev,
(unsigned long) r->main);
/* We only call change_hat for the main request, not subrequests */
if (r->main)
return OK;
if (inside_default_hat) {
mod_apparmor: convert change_hat to aa_change_hat() Merge from trunk revno: 2333 mod_apparmor never got converted to use the renamed aa_change_hat() call (there's a compatibility macro in sys/apparmor.h); this patch does that as well as converting the type of the magic_token to long from int. (This patch is somewhat mooted by a later patch in the series to convert to using aa_change_hatv(), but would be a safer candidate for e.g. the 2.8 branch.) For 2.8: Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Christian Boltz <apparmor@cboltz.de>
2014-02-14 16:40:57 -08:00
aa_change_hat(NULL, magic_token);
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
inside_default_hat = 0;
}
if (dcfg != NULL && dcfg->hat_name != NULL) {
mod_apparmor: fix logging Merge from trunk revno: 2330 The apache2 mod_apparmor module was failing to log debugging messages when the apache loglevel was set to debug or lower (i.e. traceN). This patch fixes it by using ap_log_rerror() (for request specific messages, with the request passed for context) and ap_log_error() (more general messages outside of a request context). Also, the APLOG_USE_MODULE macro is called, to mark the log messages as belonging to the apparmor module, so that the apache 2.4 feature of enabling debug logging for just the apparmor module will work, with an apache configuration entry like: LogLevel apparmor:debug See http://ci.apache.org/projects/httpd/trunk/doxygen/group__APACHE__CORE__LOG.html for specific about the ap_log_*error() and APLOG_USE_MODULE functions and macros, and http://httpd.apache.org/docs/2.4/mod/core.html.en#loglevel for the bits about module specific logging. Patch history: v1: initial version v2: - revert to using ap_log_error with (the 2.4 specific) ap_server_conf outside of a request specific context, as the pool specific ap_log_perror messages weren't being reported. - add compatibility workaround for apache 2.2 v3: keep commented out merge function's log call consistent with the others For 2.8: Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Christian Boltz <apparmor@cboltz.de> (on IRC)
2014-02-14 16:35:21 -08:00
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "calling change_hat [dcfg] %s", dcfg->hat_name);
mod_apparmor: convert change_hat to aa_change_hat() Merge from trunk revno: 2333 mod_apparmor never got converted to use the renamed aa_change_hat() call (there's a compatibility macro in sys/apparmor.h); this patch does that as well as converting the type of the magic_token to long from int. (This patch is somewhat mooted by a later patch in the series to convert to using aa_change_hatv(), but would be a safer candidate for e.g. the 2.8 branch.) For 2.8: Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Christian Boltz <apparmor@cboltz.de>
2014-02-14 16:40:57 -08:00
sd_ret = aa_change_hat(dcfg->hat_name, magic_token);
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
if (sd_ret < 0) {
mod_apparmor: convert change_hat to aa_change_hat() Merge from trunk revno: 2333 mod_apparmor never got converted to use the renamed aa_change_hat() call (there's a compatibility macro in sys/apparmor.h); this patch does that as well as converting the type of the magic_token to long from int. (This patch is somewhat mooted by a later patch in the series to convert to using aa_change_hatv(), but would be a safer candidate for e.g. the 2.8 branch.) For 2.8: Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Christian Boltz <apparmor@cboltz.de>
2014-02-14 16:40:57 -08:00
aa_change_hat(NULL, magic_token);
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
} else {
return OK;
}
}
mod_apparmor: fix AADefaultHatName storage Merge from trunk revno: 2335 When defining an AADefaultHatName entry, it was being stored in the passed mconfig location, which is not the module specific server config, but instead the top level (i.e. no path defined) default directory/location config. This would be superceded by a more specific directory config if it applied to the request. Thus, if an AAHatName was defined that applied, but the named hat was not defined in the apparmor policy, mod_apparmor would not attempt to fall back to the defined AADefaultHatName, but instead jump directly to trying the DEFAULT_URI hat. This patch fixes it by storing the defined AADefaultHatName correctly in the module specific storage in the related server data structure. It also adds a bit of developer debugging statements. For 2.8: Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Christian Boltz <apparmor@cboltz.de>
2014-02-14 16:43:37 -08:00
if (scfg) {
ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, "Dumping scfg info: "
"scfg='0x%lx' scfg->hat_name='%s'",
(unsigned long) scfg, scfg->hat_name);
} else {
ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, "scfg is null");
}
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
if (scfg != NULL && scfg->hat_name != NULL) {
mod_apparmor: fix logging Merge from trunk revno: 2330 The apache2 mod_apparmor module was failing to log debugging messages when the apache loglevel was set to debug or lower (i.e. traceN). This patch fixes it by using ap_log_rerror() (for request specific messages, with the request passed for context) and ap_log_error() (more general messages outside of a request context). Also, the APLOG_USE_MODULE macro is called, to mark the log messages as belonging to the apparmor module, so that the apache 2.4 feature of enabling debug logging for just the apparmor module will work, with an apache configuration entry like: LogLevel apparmor:debug See http://ci.apache.org/projects/httpd/trunk/doxygen/group__APACHE__CORE__LOG.html for specific about the ap_log_*error() and APLOG_USE_MODULE functions and macros, and http://httpd.apache.org/docs/2.4/mod/core.html.en#loglevel for the bits about module specific logging. Patch history: v1: initial version v2: - revert to using ap_log_error with (the 2.4 specific) ap_server_conf outside of a request specific context, as the pool specific ap_log_perror messages weren't being reported. - add compatibility workaround for apache 2.2 v3: keep commented out merge function's log call consistent with the others For 2.8: Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Christian Boltz <apparmor@cboltz.de> (on IRC)
2014-02-14 16:35:21 -08:00
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "calling change_hat [scfg] %s", scfg->hat_name);
mod_apparmor: convert change_hat to aa_change_hat() Merge from trunk revno: 2333 mod_apparmor never got converted to use the renamed aa_change_hat() call (there's a compatibility macro in sys/apparmor.h); this patch does that as well as converting the type of the magic_token to long from int. (This patch is somewhat mooted by a later patch in the series to convert to using aa_change_hatv(), but would be a safer candidate for e.g. the 2.8 branch.) For 2.8: Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Christian Boltz <apparmor@cboltz.de>
2014-02-14 16:40:57 -08:00
sd_ret = aa_change_hat(scfg->hat_name, magic_token);
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
if (sd_ret < 0) {
mod_apparmor: convert change_hat to aa_change_hat() Merge from trunk revno: 2333 mod_apparmor never got converted to use the renamed aa_change_hat() call (there's a compatibility macro in sys/apparmor.h); this patch does that as well as converting the type of the magic_token to long from int. (This patch is somewhat mooted by a later patch in the series to convert to using aa_change_hatv(), but would be a safer candidate for e.g. the 2.8 branch.) For 2.8: Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Christian Boltz <apparmor@cboltz.de>
2014-02-14 16:40:57 -08:00
aa_change_hat(NULL, magic_token);
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
} else {
return OK;
}
}
mod_apparmor: try uri hat after AADefaultHatName, not before Bug: https://bugs.launchpad.net/bugs/1322778 Between the apparmor 2.8.2 and 2.8.3, a bug was fixed in mod_apparmor (in 2.8 revno 2120) that corrected the storage location for AADefaultHatName. The incorrect storage caused the hat specified by the AADefaultHatName keyword to be the default value for AAHatName, and meant that if both an AAHatName and an AADefaultHatName entry were given in a vhost, mod_apparmor would not fall back to trying AADefaultHatName if the hat specified in AAHatName did not exist in the apache apparmor profile. However, because the value specified in AADefaultHatName was the default, if no AAHatName was specified, it would be attempted first, before a hat based on the passed URI, rather than after as the documentation stated and the code intended. By fixing the storage bug, the attempted hat ordering now matched the documentation. But a number of users came to rely on AADefaultHatName being attempted before the URI. Additionally, because the 2.8 mod_apparmor attempts each hat individually (rather than use the aa_change_hatv like trunk's mod_apparmor), each attempt with the URI-based hatname is logged by the kernel portion of apparmor, making system logs particularly noisy those same users. This patch re-adjusts the ordering so that the URI-based hat is attempted after the hat specified by AADefaultHatName is attempted, thus maintaining the actual behavior before the bug addressed in revno 2120 was fixed. Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Seth Arnold <seth.arnold@canonical.com> Bug: https://launchpad.net/bugs/1322778
2014-07-10 10:08:24 -07:00
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "calling change_hat [uri] %s", r->uri);
sd_ret = aa_change_hat(r->uri, magic_token);
if (sd_ret < 0) {
aa_change_hat(NULL, magic_token);
} else {
return OK;
}
mod_apparmor: fix logging Merge from trunk revno: 2330 The apache2 mod_apparmor module was failing to log debugging messages when the apache loglevel was set to debug or lower (i.e. traceN). This patch fixes it by using ap_log_rerror() (for request specific messages, with the request passed for context) and ap_log_error() (more general messages outside of a request context). Also, the APLOG_USE_MODULE macro is called, to mark the log messages as belonging to the apparmor module, so that the apache 2.4 feature of enabling debug logging for just the apparmor module will work, with an apache configuration entry like: LogLevel apparmor:debug See http://ci.apache.org/projects/httpd/trunk/doxygen/group__APACHE__CORE__LOG.html for specific about the ap_log_*error() and APLOG_USE_MODULE functions and macros, and http://httpd.apache.org/docs/2.4/mod/core.html.en#loglevel for the bits about module specific logging. Patch history: v1: initial version v2: - revert to using ap_log_error with (the 2.4 specific) ap_server_conf outside of a request specific context, as the pool specific ap_log_perror messages weren't being reported. - add compatibility workaround for apache 2.2 v3: keep commented out merge function's log call consistent with the others For 2.8: Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Christian Boltz <apparmor@cboltz.de> (on IRC)
2014-02-14 16:35:21 -08:00
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "calling change_hat DEFAULT_URI");
mod_apparmor: convert change_hat to aa_change_hat() Merge from trunk revno: 2333 mod_apparmor never got converted to use the renamed aa_change_hat() call (there's a compatibility macro in sys/apparmor.h); this patch does that as well as converting the type of the magic_token to long from int. (This patch is somewhat mooted by a later patch in the series to convert to using aa_change_hatv(), but would be a safer candidate for e.g. the 2.8 branch.) For 2.8: Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Christian Boltz <apparmor@cboltz.de>
2014-02-14 16:40:57 -08:00
sd_ret = aa_change_hat(DEFAULT_URI_HAT, magic_token);
if (sd_ret < 0) aa_change_hat(NULL, magic_token);
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
return OK;
}
static int
immunix_exit_hat (request_rec *r)
{
int sd_ret;
immunix_dir_cfg * dcfg = (immunix_dir_cfg *)
ap_get_module_config (r->per_dir_config, &apparmor_module);
/* immunix_srv_cfg * scfg = (immunix_srv_cfg *)
ap_get_module_config (r->server->module_config, &apparmor_module); */
mod_apparmor: improve initial and exit aa_change_hat call log message Merge from trunk revno: 2334 This patch adds the name of the hat to the log message about the initial aa_change_hat call, just to be explicit about what's happening when debugging and changes the formatting slightly of the exiting change_hat log message. Patch history: v1: initial version v2: tweak output of exit trace message For 2.8: Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Christian Boltz <apparmor@cboltz.de>
2014-02-14 16:42:12 -08:00
ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, "exiting change_hat: dir hat %s dir path %s",
dcfg->hat_name, dcfg->path);
mod_apparmor: convert change_hat to aa_change_hat() Merge from trunk revno: 2333 mod_apparmor never got converted to use the renamed aa_change_hat() call (there's a compatibility macro in sys/apparmor.h); this patch does that as well as converting the type of the magic_token to long from int. (This patch is somewhat mooted by a later patch in the series to convert to using aa_change_hatv(), but would be a safer candidate for e.g. the 2.8 branch.) For 2.8: Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Christian Boltz <apparmor@cboltz.de>
2014-02-14 16:40:57 -08:00
aa_change_hat(NULL, magic_token);
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
mod_apparmor: convert change_hat to aa_change_hat() Merge from trunk revno: 2333 mod_apparmor never got converted to use the renamed aa_change_hat() call (there's a compatibility macro in sys/apparmor.h); this patch does that as well as converting the type of the magic_token to long from int. (This patch is somewhat mooted by a later patch in the series to convert to using aa_change_hatv(), but would be a safer candidate for e.g. the 2.8 branch.) For 2.8: Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Christian Boltz <apparmor@cboltz.de>
2014-02-14 16:40:57 -08:00
sd_ret = aa_change_hat(DEFAULT_HAT, magic_token);
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
if (sd_ret < 0) {
mod_apparmor: convert change_hat to aa_change_hat() Merge from trunk revno: 2333 mod_apparmor never got converted to use the renamed aa_change_hat() call (there's a compatibility macro in sys/apparmor.h); this patch does that as well as converting the type of the magic_token to long from int. (This patch is somewhat mooted by a later patch in the series to convert to using aa_change_hatv(), but would be a safer candidate for e.g. the 2.8 branch.) For 2.8: Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Christian Boltz <apparmor@cboltz.de>
2014-02-14 16:40:57 -08:00
aa_change_hat(NULL, magic_token);
mod_apparmor: include errno in log messages for failures Merged from trunk revno: 2340 This patch includes the errno in the log messages generated by two different failed aa_change_hat() calls and the failure to open /dev/urandom to get the random token, to further ease failure diagnosis. 2.8 Note: did not apply cleanly, required manual adjustment. For 2.8: Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Christian Boltz <apparmor@cboltz.de>
2014-02-14 16:51:11 -08:00
ap_log_rerror(APLOG_MARK, APLOG_ERR, errno, r,
"Failed to change_hat to '%s'", DEFAULT_HAT);
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
} else {
inside_default_hat = 1;
}
return OK;
}
static const char *
aa_cmd_ch_path (cmd_parms * cmd, void * mconfig, const char * parm1)
{
mod_apparmor: fix logging Merge from trunk revno: 2330 The apache2 mod_apparmor module was failing to log debugging messages when the apache loglevel was set to debug or lower (i.e. traceN). This patch fixes it by using ap_log_rerror() (for request specific messages, with the request passed for context) and ap_log_error() (more general messages outside of a request context). Also, the APLOG_USE_MODULE macro is called, to mark the log messages as belonging to the apparmor module, so that the apache 2.4 feature of enabling debug logging for just the apparmor module will work, with an apache configuration entry like: LogLevel apparmor:debug See http://ci.apache.org/projects/httpd/trunk/doxygen/group__APACHE__CORE__LOG.html for specific about the ap_log_*error() and APLOG_USE_MODULE functions and macros, and http://httpd.apache.org/docs/2.4/mod/core.html.en#loglevel for the bits about module specific logging. Patch history: v1: initial version v2: - revert to using ap_log_error with (the 2.4 specific) ap_server_conf outside of a request specific context, as the pool specific ap_log_perror messages weren't being reported. - add compatibility workaround for apache 2.2 v3: keep commented out merge function's log call consistent with the others For 2.8: Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Christian Boltz <apparmor@cboltz.de> (on IRC)
2014-02-14 16:35:21 -08:00
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, ap_server_conf, "directory config change hat %s",
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
parm1 ? parm1 : "DEFAULT");
immunix_dir_cfg * dcfg = mconfig;
if (parm1 != NULL) {
dcfg->hat_name = parm1;
} else {
dcfg->hat_name = "DEFAULT";
}
return NULL;
}
static int path_warn_once;
static const char *
immunix_cmd_ch_path (cmd_parms * cmd, void * mconfig, const char * parm1)
{
if (path_warn_once == 0) {
mod_apparmor: fix logging Merge from trunk revno: 2330 The apache2 mod_apparmor module was failing to log debugging messages when the apache loglevel was set to debug or lower (i.e. traceN). This patch fixes it by using ap_log_rerror() (for request specific messages, with the request passed for context) and ap_log_error() (more general messages outside of a request context). Also, the APLOG_USE_MODULE macro is called, to mark the log messages as belonging to the apparmor module, so that the apache 2.4 feature of enabling debug logging for just the apparmor module will work, with an apache configuration entry like: LogLevel apparmor:debug See http://ci.apache.org/projects/httpd/trunk/doxygen/group__APACHE__CORE__LOG.html for specific about the ap_log_*error() and APLOG_USE_MODULE functions and macros, and http://httpd.apache.org/docs/2.4/mod/core.html.en#loglevel for the bits about module specific logging. Patch history: v1: initial version v2: - revert to using ap_log_error with (the 2.4 specific) ap_server_conf outside of a request specific context, as the pool specific ap_log_perror messages weren't being reported. - add compatibility workaround for apache 2.2 v3: keep commented out merge function's log call consistent with the others For 2.8: Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Christian Boltz <apparmor@cboltz.de> (on IRC)
2014-02-14 16:35:21 -08:00
ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, ap_server_conf, "ImmHatName is "
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
"deprecated, please use AAHatName instead");
path_warn_once = 1;
}
return aa_cmd_ch_path(cmd, mconfig, parm1);
}
static const char *
aa_cmd_ch_srv (cmd_parms * cmd, void * mconfig, const char * parm1)
{
mod_apparmor: fix logging Merge from trunk revno: 2330 The apache2 mod_apparmor module was failing to log debugging messages when the apache loglevel was set to debug or lower (i.e. traceN). This patch fixes it by using ap_log_rerror() (for request specific messages, with the request passed for context) and ap_log_error() (more general messages outside of a request context). Also, the APLOG_USE_MODULE macro is called, to mark the log messages as belonging to the apparmor module, so that the apache 2.4 feature of enabling debug logging for just the apparmor module will work, with an apache configuration entry like: LogLevel apparmor:debug See http://ci.apache.org/projects/httpd/trunk/doxygen/group__APACHE__CORE__LOG.html for specific about the ap_log_*error() and APLOG_USE_MODULE functions and macros, and http://httpd.apache.org/docs/2.4/mod/core.html.en#loglevel for the bits about module specific logging. Patch history: v1: initial version v2: - revert to using ap_log_error with (the 2.4 specific) ap_server_conf outside of a request specific context, as the pool specific ap_log_perror messages weren't being reported. - add compatibility workaround for apache 2.2 v3: keep commented out merge function's log call consistent with the others For 2.8: Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Christian Boltz <apparmor@cboltz.de> (on IRC)
2014-02-14 16:35:21 -08:00
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, ap_server_conf, "server config change hat %s",
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
parm1 ? parm1 : "DEFAULT");
mod_apparmor: fix AADefaultHatName storage Merge from trunk revno: 2335 When defining an AADefaultHatName entry, it was being stored in the passed mconfig location, which is not the module specific server config, but instead the top level (i.e. no path defined) default directory/location config. This would be superceded by a more specific directory config if it applied to the request. Thus, if an AAHatName was defined that applied, but the named hat was not defined in the apparmor policy, mod_apparmor would not attempt to fall back to the defined AADefaultHatName, but instead jump directly to trying the DEFAULT_URI hat. This patch fixes it by storing the defined AADefaultHatName correctly in the module specific storage in the related server data structure. It also adds a bit of developer debugging statements. For 2.8: Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Christian Boltz <apparmor@cboltz.de>
2014-02-14 16:43:37 -08:00
immunix_srv_cfg * scfg = (immunix_srv_cfg *)
ap_get_module_config(cmd->server->module_config, &apparmor_module);
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
if (parm1 != NULL) {
scfg->hat_name = parm1;
} else {
scfg->hat_name = "DEFAULT";
}
return NULL;
}
static int srv_warn_once;
static const char *
immunix_cmd_ch_srv (cmd_parms * cmd, void * mconfig, const char * parm1)
{
if (srv_warn_once == 0) {
mod_apparmor: fix logging Merge from trunk revno: 2330 The apache2 mod_apparmor module was failing to log debugging messages when the apache loglevel was set to debug or lower (i.e. traceN). This patch fixes it by using ap_log_rerror() (for request specific messages, with the request passed for context) and ap_log_error() (more general messages outside of a request context). Also, the APLOG_USE_MODULE macro is called, to mark the log messages as belonging to the apparmor module, so that the apache 2.4 feature of enabling debug logging for just the apparmor module will work, with an apache configuration entry like: LogLevel apparmor:debug See http://ci.apache.org/projects/httpd/trunk/doxygen/group__APACHE__CORE__LOG.html for specific about the ap_log_*error() and APLOG_USE_MODULE functions and macros, and http://httpd.apache.org/docs/2.4/mod/core.html.en#loglevel for the bits about module specific logging. Patch history: v1: initial version v2: - revert to using ap_log_error with (the 2.4 specific) ap_server_conf outside of a request specific context, as the pool specific ap_log_perror messages weren't being reported. - add compatibility workaround for apache 2.2 v3: keep commented out merge function's log call consistent with the others For 2.8: Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Christian Boltz <apparmor@cboltz.de> (on IRC)
2014-02-14 16:35:21 -08:00
ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, ap_server_conf, "ImmDefaultHatName is "
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
"deprecated, please use AADefaultHatName instead");
srv_warn_once = 1;
}
return aa_cmd_ch_srv(cmd, mconfig, parm1);
}
static void *
immunix_create_dir_config (apr_pool_t * p, char * path)
{
immunix_dir_cfg * newcfg = (immunix_dir_cfg *) apr_pcalloc(p, sizeof(* newcfg));
mod_apparmor: use trace1 loglevel for developer-oriented debug messages Merged from trunk revno: 2331 Apache 2.4 added addition logging levels. This patch converts some of the log messages that are more intended for mod_apparmor development and debugging than for sysadmins configuring mod_apparmor to use trace1 (APLOG_TRACE1) level instead. Since apache 2.2. does not contain this level (or define), we define it back to APLOG_DEBUG. Patch history: v1: initial version v2: mark a couple of additional log messages as trace1 level For 2.8: Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Christian Boltz <apparmor@cboltz.de>
2014-02-14 16:38:04 -08:00
ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, ap_server_conf, "in immunix_create_dir (%s)", path ? path : ":no path:");
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
if (newcfg == NULL) {
mod_apparmor: fix logging Merge from trunk revno: 2330 The apache2 mod_apparmor module was failing to log debugging messages when the apache loglevel was set to debug or lower (i.e. traceN). This patch fixes it by using ap_log_rerror() (for request specific messages, with the request passed for context) and ap_log_error() (more general messages outside of a request context). Also, the APLOG_USE_MODULE macro is called, to mark the log messages as belonging to the apparmor module, so that the apache 2.4 feature of enabling debug logging for just the apparmor module will work, with an apache configuration entry like: LogLevel apparmor:debug See http://ci.apache.org/projects/httpd/trunk/doxygen/group__APACHE__CORE__LOG.html for specific about the ap_log_*error() and APLOG_USE_MODULE functions and macros, and http://httpd.apache.org/docs/2.4/mod/core.html.en#loglevel for the bits about module specific logging. Patch history: v1: initial version v2: - revert to using ap_log_error with (the 2.4 specific) ap_server_conf outside of a request specific context, as the pool specific ap_log_perror messages weren't being reported. - add compatibility workaround for apache 2.2 v3: keep commented out merge function's log call consistent with the others For 2.8: Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Christian Boltz <apparmor@cboltz.de> (on IRC)
2014-02-14 16:35:21 -08:00
ap_log_error(APLOG_MARK, APLOG_ERR, 0, ap_server_conf, "immunix_create_dir: couldn't alloc dir config");
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
return NULL;
}
newcfg->path = apr_pstrdup (p, path ? path : ":no path:");
return newcfg;
}
/* XXX: Should figure out an appropriate action to take here, if any
static void *
immunix_merge_dir_config (apr_pool_t * p, void * parent, void * child)
{
immunix_dir_cfg * newcfg = (immunix_dir_cfg *) apr_pcalloc(p, sizeof(* newcfg));
mod_apparmor: use trace1 loglevel for developer-oriented debug messages Merged from trunk revno: 2331 Apache 2.4 added addition logging levels. This patch converts some of the log messages that are more intended for mod_apparmor development and debugging than for sysadmins configuring mod_apparmor to use trace1 (APLOG_TRACE1) level instead. Since apache 2.2. does not contain this level (or define), we define it back to APLOG_DEBUG. Patch history: v1: initial version v2: mark a couple of additional log messages as trace1 level For 2.8: Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Christian Boltz <apparmor@cboltz.de>
2014-02-14 16:38:04 -08:00
ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, ap_server_conf, "in immunix_merge_dir ()");
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
if (newcfg == NULL)
return NULL;
return newcfg;
}
*/
static void *
immunix_create_srv_config (apr_pool_t * p, server_rec * srv)
{
immunix_srv_cfg * newcfg = (immunix_srv_cfg *) apr_pcalloc(p, sizeof(* newcfg));
mod_apparmor: use trace1 loglevel for developer-oriented debug messages Merged from trunk revno: 2331 Apache 2.4 added addition logging levels. This patch converts some of the log messages that are more intended for mod_apparmor development and debugging than for sysadmins configuring mod_apparmor to use trace1 (APLOG_TRACE1) level instead. Since apache 2.2. does not contain this level (or define), we define it back to APLOG_DEBUG. Patch history: v1: initial version v2: mark a couple of additional log messages as trace1 level For 2.8: Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Christian Boltz <apparmor@cboltz.de>
2014-02-14 16:38:04 -08:00
ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, ap_server_conf, "in immunix_create_srv");
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
if (newcfg == NULL) {
mod_apparmor: fix logging Merge from trunk revno: 2330 The apache2 mod_apparmor module was failing to log debugging messages when the apache loglevel was set to debug or lower (i.e. traceN). This patch fixes it by using ap_log_rerror() (for request specific messages, with the request passed for context) and ap_log_error() (more general messages outside of a request context). Also, the APLOG_USE_MODULE macro is called, to mark the log messages as belonging to the apparmor module, so that the apache 2.4 feature of enabling debug logging for just the apparmor module will work, with an apache configuration entry like: LogLevel apparmor:debug See http://ci.apache.org/projects/httpd/trunk/doxygen/group__APACHE__CORE__LOG.html for specific about the ap_log_*error() and APLOG_USE_MODULE functions and macros, and http://httpd.apache.org/docs/2.4/mod/core.html.en#loglevel for the bits about module specific logging. Patch history: v1: initial version v2: - revert to using ap_log_error with (the 2.4 specific) ap_server_conf outside of a request specific context, as the pool specific ap_log_perror messages weren't being reported. - add compatibility workaround for apache 2.2 v3: keep commented out merge function's log call consistent with the others For 2.8: Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Christian Boltz <apparmor@cboltz.de> (on IRC)
2014-02-14 16:35:21 -08:00
ap_log_error(APLOG_MARK, APLOG_ERR, 0, ap_server_conf, "immunix_create_srv: couldn't alloc srv config");
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
return NULL;
}
return newcfg;
}
static const command_rec immunix_cmds[] = {
AP_INIT_TAKE1 (
"ImmHatName",
immunix_cmd_ch_path,
NULL,
ACCESS_CONF,
""
),
AP_INIT_TAKE1 (
"ImmDefaultHatName",
immunix_cmd_ch_srv,
NULL,
RSRC_CONF,
""
),
AP_INIT_TAKE1 (
"AAHatName",
aa_cmd_ch_path,
NULL,
ACCESS_CONF,
""
),
AP_INIT_TAKE1 (
"AADefaultHatName",
aa_cmd_ch_srv,
NULL,
RSRC_CONF,
""
),
{ NULL }
};
static void
register_hooks (apr_pool_t *p)
{
ap_hook_post_config (immunix_init, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_child_init (immunix_child_init, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_access_checker(immunix_enter_hat, NULL, NULL, APR_HOOK_FIRST);
/* ap_hook_post_read_request(immunix_enter_hat, NULL, NULL, APR_HOOK_FIRST); */
ap_hook_log_transaction(immunix_exit_hat, NULL, NULL, APR_HOOK_LAST);
}
module AP_MODULE_DECLARE_DATA apparmor_module = {
STANDARD20_MODULE_STUFF,
immunix_create_dir_config, /* dir config creater */
NULL, /* dir merger --- default is to override */
/* immunix_merge_dir_config, */ /* dir merger --- default is to override */
immunix_create_srv_config, /* server config */
NULL, /* merge server config */
immunix_cmds, /* command table */
register_hooks /* register hooks */
};
Reference in New Issue Copy Permalink