[apparmor] [patch] abstractions/php: allow access to conf.d/ config files
Christian Boltz
apparmor at cboltz.de
Mon Apr 28 21:54:47 UTC 2014
Hello,
Am Montag, 28. April 2014 schrieb Felix Geyer:
> On Ubuntu trusty the php package creates config symlinks in
> /etc/php5/cli/conf.d/, /etc/php5/cgi/conf.d/ and /etc/php5/fpm/conf.d/
> to /etc/php5/mods-available/.
>
> For example:
> % ls -ahl /etc/php5/cgi/conf.d/
> total 4.0K
> lrwxrwxrwx 1 root root 32 Apr 24 01:00 05-opcache.ini ->
> ../../mods-available/opcache.ini [...]
>
> Allow access to these paths.
> I have split the rules in order to not have long lines.
>
> === modified file 'profiles/apparmor.d/abstractions/php5'
> --- profiles/apparmor.d/abstractions/php5 2010-03-30 17:34:32
> +++ profiles/apparmor.d/abstractions/php5 2014-04-28 21:18:08
> # shared snippets for config files
> - /etc/php5/{conf.d,apache2,cli,fastcgi,cgi}/ r,
> - /etc/php5/{conf.d,apache2,cli,fastcgi,cgi}/*.ini r,
> + /etc/php5/{conf.d,mods-available}/ r,
> +
> /etc/php5/{apache2,cli,cli/conf.d,fastcgi,cgi,cgi/conf.d,fpm,fpm/conf
> .d}/ r, + /etc/php5/{conf.d,mods-available}/*.ini r,
> +
> /etc/php5/{apache2,cli,cli/conf.d,fastcgi,cgi,cgi/conf.d,fpm,fpm/conf
> .d}/*.ini r,
I somehow doubt there are files or directories in /etc/php5/ that PHP
shouldn't be allowed to read ;-)
Therefore I propose to make the rules much simpler:
/etc/php5/**/ r,
/etc/php5/**.ini r,
Opinions?
Regards,
Christian Boltz
--
Angesichts der offensichtlich hervorragenden Leistungen einiger Athleten
bei der 35. Idiotenparade der Herren (Einzel/Mannschaft) in Nürnberg bin
ich gerade mal wieder eine alte Idee von mir am hervorkramen:
Das Digitale-Peer2peer-Deppenkondom. [Ratti in suse-linux]
More information about the AppArmor
mailing list