profiles: add support for ArchLinux php-legacy package to php-fpm

ArchLinux ships a secondary PHP package called php-legacy with different paths. As of now, the php-fpm profile will cover this binary but inadequately restrict it. Fixes: #454
2025-03-04 00:14:44 +01:00 · 2024-10-30 09:39:37 +01:00 · 2024-10-30 09:39:37 +01:00 · 6a5432b2b0
commit 6a5432b2b0
parent 4fe3e30abc
2 changed files with 9 additions and 9 deletions
--- a/profiles/apparmor.d/abstractions/php
+++ b/profiles/apparmor.d/abstractions/php
@ -13,25 +13,25 @@
  abi <abi/4.0>,

  # shared snippets for config files
-  /etc/php{,5,7,8}/** r,
+  /etc/php{,5,7,8,-legacy}/** r,

  # Xlibs
  /usr/X11R6/lib{,32,64}/lib*.so* mr,
  # php extensions
-  /usr/lib{64,}/php{,5,7,8}/*/*.so mr,
+  /usr/lib{64,}/php{,5,7,8,-legacy}/*/*.so mr,

  # ICU (unicode support) data tables
  /usr/share/icu/*/*.dat r,

  # php session mmap socket
-  /var/lib/php{,5,7,8}/session_mm_* rwlk,
+  /var/lib/php{,5,7,8,-legacy}/session_mm_* rwlk,
  # file based session handler
-  /var/lib/php{,5,7,8}/sess_* rwlk,
-  /var/lib/php{,5,7,8}/sessions/* rwlk,
+  /var/lib/php{,5,7,8,-legacy}/sess_* rwlk,
+  /var/lib/php{,5,7,8,-legacy}/sessions/* rwlk,

  # php libraries
-  /usr/share/php{,5,7,8}/ r,
-  /usr/share/php{,5,7,8}/** mr,
+  /usr/share/php{,5,7,8,-legacy}/ r,
+  /usr/share/php{,5,7,8,-legacy}/** mr,

  # MySQL extension
  /usr/share/mysql/** r,
--- a/profiles/apparmor.d/php-fpm
+++ b/profiles/apparmor.d/php-fpm
@ -32,9 +32,9 @@ profile php-fpm /usr/{bin,sbin}/php-fpm* flags=(attach_disconnected) {
  /var/log/php*-fpm.log rw,

  # we need to be able to create all sockets
-  @{run}/php{,-fpm}/php*-fpm.pid rw,
+  @{run}/php{,-fpm,-fpm-legacy}/php*-fpm.pid rw,
  @{run}/php*-fpm.pid rw,
-  @{run}/php{,-fpm}/php*-fpm.sock rwlk,
+  @{run}/php{,-fpm,-fpm-legacy}/php*-fpm.sock rwlk,

  # LP: #2061113
  owner @{run}/systemd/notify w,