FS#62783 - [php][security] add apparmor support to extra/php-fpm and extra/php
Attached to Project:
Arch Linux
Opened by Boris "Hundi Wam Wam" Digital (boris64) - Friday, 31 May 2019, 12:20 GMT
Last edited by Buggy McBugFace (bugbot) - Saturday, 25 November 2023, 20:26 GMT
Opened by Boris "Hundi Wam Wam" Digital (boris64) - Friday, 31 May 2019, 12:20 GMT
Last edited by Buggy McBugFace (bugbot) - Saturday, 25 November 2023, 20:26 GMT
|
Details
Description:
The php-fpm-package in Archlinux seems to be build w/o proper apparmor (changehat) support. This feature seems to be enabled in php/php-fpm only when running ./configure on a host with apparmor installed (or maybe there's a config parameter i didn't see?). After rebuilding and installing php/php-fpm using the standard PKGBUILD (taken from https://git.archlinux.org/svntogit/packages.git/tree/trunk?h=packages/php) on my build-vm (with the package 'apparmor' installed) the feature is enabled and working fine. This is a really cool security feature (for auditing/locking up webapps) which is already built in php/php-fpm and could be imho enabled at no extra cost, but somehow (are there reaons?) it got disabled in Arch. -> Please add support for apparmor/changehat in php/php-fpm Additional info: * package version(s) extra/php-fpm-7.3.6-1 extra/php-7.3.6-1 * config and/or log files etc. - * link to upstream bug report, if any -> https://wiki.php.net/rfc/fpm_change_hat?s[]=apparmor -> https://nordisch.org/posts/php-fpm-apparmor/ Steps to reproduce: 1) Add a parameter 'apparmor_hat = $my_php-fpm_pool_here' in a configfile like /etc/php/php-fpm.conf/www.conf. 2) Run config check via php-fpm # php-fpm --test --fpm-config /etc/php/php-fpm.conf/www.conf [31-May-2019 13:55:53] ERROR: [www.conf:6] unknown entry 'apparmor_hat' [31-May-2019 13:55:53] ERROR: failed to load configuration file 'www.conf' [31-May-2019 13:55:53] ERROR: FPM initialization failed |
This task depends upon
Closed by Buggy McBugFace (bugbot)
Saturday, 25 November 2023, 20:26 GMT
Reason for closing: Moved
Additional comments about closing: https://gitlab.archlinux.org/archlinux/p ackaging/packages/php/issues/2
Saturday, 25 November 2023, 20:26 GMT
Reason for closing: Moved
Additional comments about closing: https://gitlab.archlinux.org/archlinux/p ackaging/packages/php/issues/2
Thank you in adavance.
Another solution would be to introduce a split libappromor package.