Profiling Your Web Applications Using Changehat Apache; What Is Changehat; Apache Changehat - Novell APPARMOR Admin Manual

What is ChangeHat?

Chapter 6 Profiling Your Web Applications
Using ChangeHat Apache
What is ChangeHat?
A Novell AppArmor profile represents security policy for an individual
program instance, or process. It applies to an executable program, but
if a portion of the program needs different access permissions than
other portions, the program can "change hats" to use a different secu-
rity context, distinctive from the access of the main program. This is
known as a Hat or subprofile.
ChangeHat enables programs to change to or from a "hat" within a
Novell AppArmor profile. It enables you to define security at a finer
grain level than the process.
This feature requires that each application be made "changehat
aware" meaning that it is modified to make a request to the Novell
AppArmor module to switch security domains at arbitrary times during
the application execution.
A profile can have an arbitrary number of subprofiles, but there are
only 2 levels: a subprofile cannot have further sub-subprofiles. A sub-
profile is written as a separate profile, and named as the containing
profile followed by the subprofile name, separated by a ^. Subprofiles
must be stored in the same file as the parent profile.
Note:
For more information see "man changehat" on your system.

Apache ChangeHat

Novell provides a mod_change_hat module for the Apache program.
The mod_change_hat module works on your SLES 9 system to
make the Apache web server become "ChangeHat-aware." It is
installed if Apache is on your system. When Apache is ChangeHat-
aware, with every URI request that it receives, it checks for the follow-
ing customized Novell AppArmor security profiles in the order given:
• URI-specific hat (for example, ^phpsysinfo-dev/templates/clas-
sic/images/bar_left.gif)
79