[apparmor] [patch 2/3] profiles: allow php5 abstraction access to Zend opcache files

Steve Beattie steve at nxnw.org
Mon Jun 23 21:06:25 UTC 2014


On Fri, Jun 20, 2014 at 09:16:15AM -0700, Kees Cook wrote:
> On Wed, Jun 18, 2014 at 11:44:26PM -0700, Seth Arnold wrote:
> > On Wed, Jun 18, 2014 at 05:44:04PM -0700, Steve Beattie wrote:
> > > Allow php5 abstraction to access Zend opcache files.
> > > 
> > > [Personally, I don't really like things like this ending up in /tmp,
> > > as there's no need for it; but it's not obvious to me looking at
> > > http://www.php.net/manual/en/opcache.configuration.php if there's a
> > > way to configure things such that the opcache files end up in a php
> > > specific directory, that we could advocate packagers should make as
> > > the default.]
> > 
> > Blech. Annoying php.
> 
> Yes. This took a long time to find digging through PHP code to find the
> file pattern. :)
> 
> > Maybe add 'owner'? I'm not entirely sure how PHP expects these things to
> > be used but it feels like a sane thing to require that the reader and
> > writer be the same uid.
> 
> Yeah, "owner" seems like a good idea.

Actually, owner for some reason won't work here, at least with tests
that I've done on Ubuntu 14.04:

  type=AVC msg=audit(1403508883.378:14162): apparmor="DENIED" operation="file_lock" profile="/usr/sbin/apache2//DEFAULT_URI" name="/tmp/.ZendSem.dm4CyE" pid=10001 comm="apache2" requested_mask="k" denied_mask="k" fsuid=33 ouid=0

Note that fsuid and ouid differ (the opcache is being generated/opened
by apache's control process?) and thus restricting owner won't
allow this.

I'm still unable to find a toggle in php configuration that changes the
directory these are created in.

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140623/25cd5aa8/attachment.pgp>


More information about the AppArmor mailing list