FS#62783 - [php][security] add apparmor support to extra/php-fpm and extra/php

Attached to Project: Arch Linux
Opened by Boris "Hundi Wam Wam" Digital (boris64) - Friday, 31 May 2019, 12:20 GMT
Last edited by Buggy McBugFace (bugbot) - Saturday, 25 November 2023, 20:26 GMT
Task Type Feature Request
Category Security
Status Closed
Assigned To Pierre Schmitz (Pierre)
David Runge (dvzrv)
Levente Polyak (anthraxx)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 3
Private No

Details

Description:
The php-fpm-package in Archlinux seems to be build w/o proper apparmor (changehat) support.
This feature seems to be enabled in php/php-fpm only when running ./configure on a host with apparmor installed (or maybe there's a config parameter i didn't see?).

After rebuilding and installing php/php-fpm using the standard PKGBUILD (taken from https://git.archlinux.org/svntogit/packages.git/tree/trunk?h=packages/php) on my build-vm (with the package 'apparmor' installed) the feature is enabled and working fine.

This is a really cool security feature (for auditing/locking up webapps) which is already built in php/php-fpm and could be imho enabled at no extra cost, but somehow (are there reaons?) it got disabled in Arch.

-> Please add support for apparmor/changehat in php/php-fpm

Additional info:
* package version(s)
extra/php-fpm-7.3.6-1
extra/php-7.3.6-1

* config and/or log files etc.
-

* link to upstream bug report, if any
-> https://wiki.php.net/rfc/fpm_change_hat?s[]=apparmor
-> https://nordisch.org/posts/php-fpm-apparmor/

Steps to reproduce:
1) Add a parameter 'apparmor_hat = $my_php-fpm_pool_here' in a
configfile like /etc/php/php-fpm.conf/www.conf.

2) Run config check via php-fpm
# php-fpm --test --fpm-config /etc/php/php-fpm.conf/www.conf
[31-May-2019 13:55:53] ERROR: [www.conf:6] unknown entry 'apparmor_hat'
[31-May-2019 13:55:53] ERROR: failed to load configuration file 'www.conf'
[31-May-2019 13:55:53] ERROR: FPM initialization failed
This task depends upon

Closed by  Buggy McBugFace (bugbot)
Saturday, 25 November 2023, 20:26 GMT
Reason for closing:  Moved
Additional comments about closing:  https://gitlab.archlinux.org/archlinux/p ackaging/packages/php/issues/2
Comment by Boris "Hundi Wam Wam" Digital (boris64) - Thursday, 11 November 2021, 11:33 GMT
I really hate to bump a bug report (sorry!), but is this somehow considered to be enabled? I'd really like to switch my webserver back to arch (from debian), but apparmor is mandatory to me. This really should be easy to implement with no(?) kind of disadvantage.

Thank you in adavance.
Comment by David Runge (dvzrv) - Monday, 07 November 2022, 23:31 GMT
@Pierre: We can enable this by adding `--with-fpm-apparmor` to the configure call and including apparmor in makedepends and optdepends for php-fpm.
Comment by Pierre Schmitz (Pierre) - Friday, 11 November 2022, 13:43 GMT
@David: You are correct; this got totally lost. I'll have a look at Apparmor.
Comment by Pierre Schmitz (Pierre) - Friday, 11 November 2022, 16:59 GMT
When built with apparmor support php-fpm links to libapparmor.so.1 which makes it a hard dpendency and not optional (which might bring in more dependencies as some might like). I guess I could provide a separate php-fpm-apparmor (split) package. What do you think?
Comment by David Runge (dvzrv) - Tuesday, 22 November 2022, 11:53 GMT
@Pierre have you tried whether it runs without apparmor installed? Is it still configurable?
Comment by Pierre Schmitz (Pierre) - Wednesday, 14 December 2022, 10:32 GMT
It does link against libapparmor, so the binary wont even run if that is not present. According to the documentation php-fpm would still work with apparomor being disabled even if it was linked against its library.

Another solution would be to introduce a split libappromor package.
Comment by Buggy McBugFace (bugbot) - Tuesday, 08 August 2023, 19:11 GMT
This is an automated comment as this bug is open for more then 2 years. Please reply if you still experience this bug otherwise this issue will be closed after 1 month.

Loading...