Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

Do NOT report bugs when a package is just outdated, or it is in Unsupported. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#62783 - [security] [php] add apparmor support to extra/php-fpm and extra/php

Attached to Project: Arch Linux
Opened by Boris "Hundi Wam Wam" Digital (boris64) - Friday, 31 May 2019, 12:20 GMT
Last edited by freswa (frederik) - Saturday, 22 February 2020, 22:03 GMT
Task Type Feature Request
Category Security
Status Assigned
Assigned To Pierre Schmitz (Pierre)
Levente Polyak (anthraxx)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 1
Private No

Details

Description:
The php-fpm-package in Archlinux seems to be build w/o proper apparmor (changehat) support.
This feature seems to be enabled in php/php-fpm only when running ./configure on a host with apparmor installed (or maybe there's a config parameter i didn't see?).

After rebuilding and installing php/php-fpm using the standard PKGBUILD (taken from https://git.archlinux.org/svntogit/packages.git/tree/trunk?h=packages/php) on my build-vm (with the package 'apparmor' installed) the feature is enabled and working fine.

This is a really cool security feature (for auditing/locking up webapps) which is already built in php/php-fpm and could be imho enabled at no extra cost, but somehow (are there reaons?) it got disabled in Arch.

-> Please add support for apparmor/changehat in php/php-fpm

Additional info:
* package version(s)
extra/php-fpm-7.3.6-1
extra/php-7.3.6-1

* config and/or log files etc.
-

* link to upstream bug report, if any
-> https://wiki.php.net/rfc/fpm_change_hat?s[]=apparmor
-> https://nordisch.org/posts/php-fpm-apparmor/

Steps to reproduce:
1) Add a parameter 'apparmor_hat = $my_php-fpm_pool_here' in a
configfile like /etc/php/php-fpm.conf/www.conf.

2) Run config check via php-fpm
# php-fpm --test --fpm-config /etc/php/php-fpm.conf/www.conf
[31-May-2019 13:55:53] ERROR: [www.conf:6] unknown entry 'apparmor_hat'
[31-May-2019 13:55:53] ERROR: failed to load configuration file 'www.conf'
[31-May-2019 13:55:53] ERROR: FPM initialization failed
This task depends upon

Loading...