uWSGI integration with apparmor
This plugin adds feature for applying apparmor profiles to uWSGI instances.
It requires uWSGI >= 2.0.7 and apparmor development headers (libapparmor-dev on Ubuntu)
The plugin is 2.x friendly
uwsgi --build-plugin https://github.com/unbit/uwsgi-apparmorThe plugin exposes the following features:
- applying a profile to the instance with the
--apparmor-profile <name>option - setting apparmor profile from a custom hook with the
apparmor:nameaction - applying a profile to vassals before they are exec'ed
- (Only for uWSGI >= 2.1) applying a profile to vassals before they are exec'ed using emperor attributes (each vassal can have a different profile)
To apply a profile to an instance (remember to load the profile with appamor_parser command line tool)
[uwsgi]
plugin = apparmor
apparmor-profile = funnyprofile
; ensure your profile allow INET usage
socket = 127.0.0.1:3031
; ensure your profile allows write access to /run/foo.pid
pidfile = /run/foo.pid
; ensure your profile allows read access to /var/www/app.psgi
psgi = /var/www/app.psgiTo apply the profile as a hook:
uwsgi --plugin apparmor --hook-as-root apparmor:funnyprofile ...And to apply it to every vassal
[uwsgi]
plugin = apparmor
emperor = vassals
; ensure vassalsprofile allows execution of uwsgi binary
emperor-apparmor = vassalsprofileIf you have uWSGI >= 2.1, you can use emperor attributes to set the apparmor profile:
[emperor]
; this is the profiel to apply to the vassal
apparmor = vassal001
[uwsgi]
; ensure your profile allow INET usage
socket = 127.0.0.1:3031
; ensure your profile allows write access to /run/foo.pid
pidfile = /run/foo.pid
; ensure your profile allows read access to /var/www/app.psgi
psgi = /var/www/app.psgithen run the Emperor
uwsgi --plugin apparmor --emperor vassals --emperor-collect-attr apparmor --emperor-apparmor-attr apparmorremember to specify which attr to collect and to use (yes it seems redundant, one day this could be improved ...)