It is common for packaged PHP applications to ship a PHP-FPM
configuration using a scheme of "$app.sock" or or "$app.socket" instead
of using a generic FPM socket.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
ArchLinux ships a secondary PHP package called php-legacy with different
paths. As of now, the php-fpm profile will cover this binary but
inadequately restrict it.
Fixes: #454
Installation of php-fpm fails on Ubuntu because the profile does not
allow writing to /run/systemd/notify.
Fixes: https://bugs.launchpad.net/bugs/2061113
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
With abstractions/openssl now being included from abstraction/base
(via the indirection of abstractions/crypto) anything already
including abstraction/base can stop including abstractions/openssl
directly.
Begin preparing policy for the 4.0 release. This may result in new
denials. This is expected and needed to make sure policy is ready
for the 4.0 release.
Signed-off-by: John Johansen <john.johansen@canonical.com>
The upstream php-fpm.conf file carries the following pid file example
path:
[global]
; Pid file
; Note: the default prefix is @EXPANDED_LOCALSTATEDIR@
; Default Value: none
;pid = run/php-fpm.pid
Add this path to profiles/apparmor.d/php-fpm, alongside the current
nested "@{run}/php{,-fpm}/php*-fpm.pid" wildcard.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/267
Suggested-by: Ali Abdallah <ali.abdallah@suse.com>
Signed-off-by: David Disseldorp <ddiss@suse.de>
New kernels provide an alternative proc attr interface for apparmor
which is needed for LSM stacking.
Update the remaining profiles that use the old interface to
include access to the new interface.
Signed-off-by: John Johansen <john.johansen@canonical.com>
