[pkg-apparmor] Adding WordPress apache profile

intrigeri intrigeri at debian.org
Wed Jun 2 09:24:24 BST 2021 

Hi,

Craig Small (2021-05-26):
>   I have for some time run an apparmor profile for WordPress on my own
> system.  It basically uses apache hat to switch to the Wordpress profile
> and then locks access down to the files Wordpress needs.  I think its a
> worthwhile addition and given how many Wordpress bugs there are out there,
> would be quite useful.

Sweet!

As an introductory note, the general strategy I've chosen for AppArmor
in Debian is to only ship policy enforced by default if it's going to
work as-is for the vast majority of use cases: I don't want "disable
AppArmor" to become the 1st step of debugging suggested to users
facing any kind of trouble. So IMO, AppArmor policy for WordPress
should either be rock solid in all common configurations, or opt-in.
I see WordPress has support for plugins, which worries me a bit:
there's a chance that plugins require extra permissions and it might
be difficult to cover all commonly used ones. I see the approach
you're considering is opt-in, which I like.

Note that I'm not very familiar with Apache + AppArmor: I don't use
Apache and I have only a basic understanding of the mechanisms in
play. I'll try to share some insight but I'm afraid I won't be a good
person to help much here.

> The question is, how?  The simplest way is to just stick the file into the
> examples directory in the wordpress package but this isn't user friendly.
> My concern is if I just install the profile into /etc/apparmor.d/apache2.d
> then it might create directories for systems not using apparmor.

Personally I'm not worried about adding a couple directories and a few
KiB on systems that have WordPress installed, even if the
administrator opted-out from AppArmor. In passing, the documented way
to disable AppArmor is on the kernel command line, not by
de-installing the apparmor package, so most of those who opted-out
from AppArmor have these directories anyway.

> The other piece of the puzzle is apache configuration needs to enable the
> hat for specific directories, I suspect that might be a README.

Sounds good! As a bonus, this makes the WordPress hat opt-in, which
I think is great to start with.

Finally, I see another webapp ships an AppArmor hat:
kopano-webapp-apache2 (/etc/apparmor.d/apache2.d/kopano-webapp).
It might be a good source of inspiration, and the people who've set
this up may be able to help you better than I can :)

Cheers,
-- 
intrigeri

More information about the pkg-apparmor-team mailing list