httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From KaiGai Kohei <kai...@ak.jp.nec.com>
Subject Re: [PATCH 47021] A new MPM (security) and mod_selinux module
Date Fri, 17 Apr 2009 07:43:23 GMT
Folks,

Now we have a few approaches to support SELinux.
Which is the preferable to get upstreamed?

1. The idea of mpm_security
 It spawns a new process for each connections. It gives third-party modules
 a chance to assign appropriate privileges prior to invocations of the handler.
 MERIT:
  - It can be a good news for other modules which intend to do similar things
    such as virtual-host level privileges and so on.

 DEMERIT:
  - It requires us to maintain an original MPM, although most of them are
    delivered from other one (prefork?).

2. The idea of mod_selinux
 It overrides the process_connection hook, and spawns a new worker thread
 (or process). The worker goes in the hook again, then the module assigns
 an appropriate privilege prior invocation of the handler.
 MERIT:
  - Its code size is quite smaller than the first approach.
    About 70 lines of code enables to spawn a one-time thread.
    http://code.google.com/p/sepgsql/source/browse/misc/mod_selinux/mod_selinux.c#267

 DEMERIT:
  - Needless to say, it is not a good news for other modules.

Thanks,

KaiGai Kohei wrote:
> I noticed it is implementable as a module for httpd-2.2.x, without mpm support.
> The following code is a proof-of-concept of the new approach.
> 
>   http://code.google.com/p/sepgsql/source/browse/misc/mod_selinux/mod_selinux.c#312
> 
> The selinux_process_connection is a hook of the process_connection which
> is called for each connection. It forks a one-time worker process and
> assigns individual security context prior to invocation of handlers.
> 
> The worker calls ap_run_process_connection() again, however,
> the selinux_process_connection just returns DECLINED on the worker's
> context, then the standard routines are executed in worker process.
> 
> There are no fundamental differences from what I suggested yesterday.
> If you have any comments, questions, suggestions and others, please
> feel free to point out.
> 
> Thanks,
> 
> KaiGai Kohei wrote:
>> I filed an entry on the bugzilla:
>>   * Bug 47021 - A new MPM (security) and mod_selinux module
>>   https://issues.apache.org/bugzilla/show_bug.cgi?id=47021
>>
>> It is the first time for me to submit patches in the community,
>> please tell me if I had something incorrect manner.
>>
>> Thanks,
>>
>> KaiGai Kohei wrote:
>>> KaiGai Kohei wrote:
>>>> Stefan Fritsch wrote:
>>>>> On Thursday 09 April 2009, Graham Dumpleton wrote:
>>>>>> Only you would know that. But then, I could be pointing you at the
>>>>>> wrong MPM. There is from memory another by another name developed
>>>>>> outside of ASF which intends to do the same think. The way it is
>>>>>> implemented is probably going to be different and may be the one
I
>>>>>> am actually thinking of. I can't remember the name of it right now.
>>>>> Maybe you mean MPM itk, which can change to different users for 
>>>>> different vhosts?
>>>>>
>>>>> http://mpm-itk.sesse.net/
>>>> Thanks for your information.
>>>>
>>>> It is designed on the prefork. It makes a child process for each
>>>> connection to call ap_process_connection() in separated context,
>>>> and the parent waits for the completion of this.
>>>> In addition, it assigns configured uid/gid on the header_parser hook,
>>>> then contents handlers are invoked.
>>>>
>>>> It seems to me that we can share its basic idea and design.
>>>> The mpm-itk also has separatable two functionalities:
>>>>  1. it makes a process for each connection.
>>>>  2. it assigns privileges on a process.
>>>>
>>>> I believe we are now on the right direction.
>>> At first, I planed to implement a new mpm from the scratch, but I
>>> reconsidered it may be a burden for the reviewers, so the attached
>>> patch is implemented as an enhancement of the latest prefork.
>>> (I guess it is a preferable manner.)
>>>
>>> The first attached patch adds a new "security" mpm which enables to
>>> launch a new process for each connections, and gives a chance to assign
>>> appropriate privileges for external modules. The newly spawned process
>>> is always one-time purpose, because SELinux does not allow to revert
>>> its privileges.
>>>
>>> The second patch is an implementation of the mod_selinux module which
>>> assigns the working process a security context based on authentication
>>> process at the fixups hook, prior to invocations of contents handler.
>>>
>>>   Step to apply the patches:
>>>   % svn co http://svn.apache.org/repos/asf/httpd/httpd/trunk httpd-devel
>>>   % cd httpd-devel
>>>   % mkdir -p server/mpm/security
>>>   % cp -f server/mpm/prefork/prefork.c server/mpm/security
>>>   % cp -f server/mpm/prefork/mpm_default.h server/mpm/security
>>>   % cat ~/apache-httpd-security-mpm.1.patch | patch -p1
>>>   % cat ~/apache-httpd-mod_selinux.1.patch | patch -p1
>>>
>>>   (*) The attached patch contains only differences from the prefork.
>>>
>>> I would like to push this kind of features to the upstreamed httpd
>>> eventually. If you have any suggestion, please feel free to comment.
>>>
>>> Thanks,
>>>
>>
> 
> 


-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

Mime
View raw message