apparmor/profiles/apparmor.d/php-fpm

# vim: ft=apparmor

abi <abi/3.0>,

include <tunables/global>

profile php-fpm /usr/sbin/php-fpm* flags=(attach_disconnected) {
  # load common libraries and their support files
  include <abstractions/base>
  # resolve hostnames/usernames
  include <abstractions/nameservice>
  # common php files and support files that php needs
  include <abstractions/php>
  # read openssl configuration
  include <abstractions/openssl>
  # read the system certificates
  include <abstractions/ssl_certs>

  /etc/php{,5,7}/** r,

  capability net_admin,
  # change user/group of a pool
  capability setuid,
  capability setgid,
  # change ownership of the socket so that we can launch with a different user/group as the socket will be owned by
  capability chown,
  # we want to be able to kill our child processes
  capability kill,
  # to provide sockets with acls different than root
  capability dac_override,

  # we need write access here to move it into a different apparmor sub profile
  @{PROC}/@{pid}/attr/{apparmor/,}current rw,

  # the main log file
  /var/log/php*-fpm.log rw,

  # we need to be able to create all sockets
  @{run}/php{,-fpm}/php*-fpm.pid rw,
  @{run}/php{,-fpm}/php*-fpm.sock rwlk,

  # to reload
  /usr/sbin/php-fpm* rix,

  # no idea why php tries to open / read/write
  deny / rw,

  # allow sending signals to our subprocesses
  signal (send) peer=php-fpm//*,

  # allow switching processes to those subprofiles
  change_profile -> php-fpm//*,

  # load all files from this directory
  # store your configurations per pool in this dir
  include if exists <php-fpm.d>

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/php-fpm>
}