From 6a5432b2b09bf3c08f276ab6bd78b471b1aa35da Mon Sep 17 00:00:00 2001
From: Christian Pfeiffer <cpfeiffer@rev-crew.info>
Date: Wed, 30 Oct 2024 09:39:37 +0100
Subject: [PATCH] profiles: add support for ArchLinux php-legacy package to
 php-fpm

ArchLinux ships a secondary PHP package called php-legacy with different
paths. As of now, the php-fpm profile will cover this binary but
inadequately restrict it.

Fixes: #454
---
 profiles/apparmor.d/abstractions/php | 14 +++++++-------
 profiles/apparmor.d/php-fpm          |  4 ++--
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/profiles/apparmor.d/abstractions/php b/profiles/apparmor.d/abstractions/php
index ac760bc9e..ca7ca370f 100644
--- a/profiles/apparmor.d/abstractions/php
+++ b/profiles/apparmor.d/abstractions/php
@@ -13,25 +13,25 @@
   abi <abi/4.0>,
 
   # shared snippets for config files
-  /etc/php{,5,7,8}/** r,
+  /etc/php{,5,7,8,-legacy}/** r,
 
   # Xlibs
   /usr/X11R6/lib{,32,64}/lib*.so* mr,
   # php extensions
-  /usr/lib{64,}/php{,5,7,8}/*/*.so mr,
+  /usr/lib{64,}/php{,5,7,8,-legacy}/*/*.so mr,
 
   # ICU (unicode support) data tables
   /usr/share/icu/*/*.dat r,
 
   # php session mmap socket
-  /var/lib/php{,5,7,8}/session_mm_* rwlk,
+  /var/lib/php{,5,7,8,-legacy}/session_mm_* rwlk,
   # file based session handler
-  /var/lib/php{,5,7,8}/sess_* rwlk,
-  /var/lib/php{,5,7,8}/sessions/* rwlk,
+  /var/lib/php{,5,7,8,-legacy}/sess_* rwlk,
+  /var/lib/php{,5,7,8,-legacy}/sessions/* rwlk,
 
   # php libraries
-  /usr/share/php{,5,7,8}/ r,
-  /usr/share/php{,5,7,8}/** mr,
+  /usr/share/php{,5,7,8,-legacy}/ r,
+  /usr/share/php{,5,7,8,-legacy}/** mr,
 
   # MySQL extension
   /usr/share/mysql/** r,
diff --git a/profiles/apparmor.d/php-fpm b/profiles/apparmor.d/php-fpm
index 736a786a8..bc684fa11 100644
--- a/profiles/apparmor.d/php-fpm
+++ b/profiles/apparmor.d/php-fpm
@@ -32,9 +32,9 @@ profile php-fpm /usr/{bin,sbin}/php-fpm* flags=(attach_disconnected) {
   /var/log/php*-fpm.log rw,
 
   # we need to be able to create all sockets
-  @{run}/php{,-fpm}/php*-fpm.pid rw,
+  @{run}/php{,-fpm,-fpm-legacy}/php*-fpm.pid rw,
   @{run}/php*-fpm.pid rw,
-  @{run}/php{,-fpm}/php*-fpm.sock rwlk,
+  @{run}/php{,-fpm,-fpm-legacy}/php*-fpm.sock rwlk,
 
   # LP: #2061113
   owner @{run}/systemd/notify w,