httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From KaiGai Kohei <>
Subject Re: [PATCH 47021] A new MPM (security) and mod_selinux module
Date Wed, 15 Apr 2009 08:04:33 GMT
I noticed it is implementable as a module for httpd-2.2.x, without mpm support.
The following code is a proof-of-concept of the new approach.

The selinux_process_connection is a hook of the process_connection which
is called for each connection. It forks a one-time worker process and
assigns individual security context prior to invocation of handlers.

The worker calls ap_run_process_connection() again, however,
the selinux_process_connection just returns DECLINED on the worker's
context, then the standard routines are executed in worker process.

There are no fundamental differences from what I suggested yesterday.
If you have any comments, questions, suggestions and others, please
feel free to point out.


KaiGai Kohei wrote:
> I filed an entry on the bugzilla:
>   * Bug 47021 - A new MPM (security) and mod_selinux module
> It is the first time for me to submit patches in the community,
> please tell me if I had something incorrect manner.
> Thanks,
> KaiGai Kohei wrote:
>> KaiGai Kohei wrote:
>>> Stefan Fritsch wrote:
>>>> On Thursday 09 April 2009, Graham Dumpleton wrote:
>>>>> Only you would know that. But then, I could be pointing you at the
>>>>> wrong MPM. There is from memory another by another name developed
>>>>> outside of ASF which intends to do the same think. The way it is
>>>>> implemented is probably going to be different and may be the one I
>>>>> am actually thinking of. I can't remember the name of it right now.
>>>> Maybe you mean MPM itk, which can change to different users for 
>>>> different vhosts?
>>> Thanks for your information.
>>> It is designed on the prefork. It makes a child process for each
>>> connection to call ap_process_connection() in separated context,
>>> and the parent waits for the completion of this.
>>> In addition, it assigns configured uid/gid on the header_parser hook,
>>> then contents handlers are invoked.
>>> It seems to me that we can share its basic idea and design.
>>> The mpm-itk also has separatable two functionalities:
>>>  1. it makes a process for each connection.
>>>  2. it assigns privileges on a process.
>>> I believe we are now on the right direction.
>> At first, I planed to implement a new mpm from the scratch, but I
>> reconsidered it may be a burden for the reviewers, so the attached
>> patch is implemented as an enhancement of the latest prefork.
>> (I guess it is a preferable manner.)
>> The first attached patch adds a new "security" mpm which enables to
>> launch a new process for each connections, and gives a chance to assign
>> appropriate privileges for external modules. The newly spawned process
>> is always one-time purpose, because SELinux does not allow to revert
>> its privileges.
>> The second patch is an implementation of the mod_selinux module which
>> assigns the working process a security context based on authentication
>> process at the fixups hook, prior to invocations of contents handler.
>>   Step to apply the patches:
>>   % svn co httpd-devel
>>   % cd httpd-devel
>>   % mkdir -p server/mpm/security
>>   % cp -f server/mpm/prefork/prefork.c server/mpm/security
>>   % cp -f server/mpm/prefork/mpm_default.h server/mpm/security
>>   % cat ~/apache-httpd-security-mpm.1.patch | patch -p1
>>   % cat ~/apache-httpd-mod_selinux.1.patch | patch -p1
>>   (*) The attached patch contains only differences from the prefork.
>> I would like to push this kind of features to the upstreamed httpd
>> eventually. If you have any suggestion, please feel free to comment.
>> Thanks,

OSS Platform Development Division, NEC
KaiGai Kohei <>

View raw message