5
Profiling Your Web
Applications Using ChangeHat
A Novell® AppArmor profile represents the security policy for an individual program
instance or process. It applies to an executable program, but if a portion of the program
needs different access permissions than other portions, the program can “change hats”
to use a different security context, distinctive from the access of the main program.
This is known as a hat or subprofile.
ChangeHat enables programs to change to or from a hat within a Novell AppArmor
profile. It enables you to define security at a finer level than the process. This feature
requires that each application be made “ChangeHat aware” meaning that it is modified
to make a request to the Novell AppArmor module to switch security domains at arbitrary
times during the application execution. Two examples for ChangeHat-aware applications
are the Apache Web server and Tomcat.
A profile can have an arbitrary number of subprofiles, but there are only two levels: a
subprofile cannot have further sub-subprofiles. A subprofile is written as a separate
profile and named as the containing profile followed by the subprofile name, separated
by a
^
. Subprofiles must be stored in the same file as the parent profile.
Note that the security of hats is considerably weaker than that of full profiles. That is
to say, if an attacker can find just the right kind of bug in a program, they may be able
to escape from a hat into the containing profile. This is because the security of hats is
determined by a secret key handled by the containing process, and the code running in
the hat must not have access to the key. Thus change_hat is most useful in conjunction
with application servers, where a language interpreter (such as PERL, PHP, or Java) is
isolating pieces of code such that they do not have direct access to the memory of the
containing process.
Profiling Your Web Applications Using ChangeHat
75