mod_apparmor - fine-grained AppArmor confinement for apache


An AppArmor profile applies to an executable program; if a portion of the program needs different access permissions than other portions, the program can change hats via change_hat(2) to a different role, also known as a subprofile. The mod_apparmor apache module uses the change_hat(2) mechanism to offer more fine-grained confinement of dynamic elements within apache such as individual php and perl scripts, while still allowing the performance benefits of using mod_php and mod_perl.

To use mod_apparmor with apache, ensure that mod_apparmor is configured to be loaded into apache, either via yast or manual editing of the httpd(8) configuration files, and restart apache. Make sure that apparmor is also functioning.

Once mod_apparmor is loaded within apache, all requests to apache will cause mod_apparmor to attempt to change into a hat named by the URI (e.g. /app/some.cgi). If no such hat is found, it will fall back to attempting to use the hat DEFAULT_URI; if that also does not exist, it will fall back to using the global apache profile. Most static web pages can simply make use of the DEFAULT_URI hat.

However, defining hats for every URI/URL would become tedious, so there are a couple of configuration options that mod_apparmor supports:
AAHatName AAHatName allows you to specify a hat to be used for a given apache directory or location directive (see the apache documenation for more details). Note that mod_apparmor behavior can become confused if directory and location directives are intermingled; it’s preferred to stick to one type of directive. If the hat specified by AAHatName does not exist in the apache profile, then it falls back to the behavior above.
AADefaultHatName AADefaultHatName allows you to specify a default hat to be used for vhosts and other apache server directives, so that you can have different defaults for different virtual hosts. This can be overridden by an AAHatName directive. If the AADefaultHatName hat does not exist, it falls back to the behavior described above.
Additionally, before any requests come in to apache, mod_apparmor will attempt to change hat into the HANDLING_UNTRUSTED_INPUT hat. mod_apparmor will attempt to use this hat while apache is doing the initial parsing of a given http request, before its given to a specific handler (like mod_php) for processing.


mod_apparmor() currently only supports apache2, and has only been tested with the prefork MPM configuration — threaded configurations of apache may not work correctly.

There are likely other bugs lurking about; if you find any, please report them to bugzilla at <>.


apparmor(7), subdomain.conf(5), apparmor_parser(8), and <>.

openSUSE Logo