[apparmor] [patch 2/3] profiles: allow php5 abstraction access to Zend opcache files
Seth Arnold
seth.arnold at canonical.com
Mon Jun 23 21:36:37 UTC 2014
On Mon, Jun 23, 2014 at 02:06:25PM -0700, Steve Beattie wrote:
> On Fri, Jun 20, 2014 at 09:16:15AM -0700, Kees Cook wrote:
> > On Wed, Jun 18, 2014 at 11:44:26PM -0700, Seth Arnold wrote:
> > > On Wed, Jun 18, 2014 at 05:44:04PM -0700, Steve Beattie wrote:
> > > > Allow php5 abstraction to access Zend opcache files.
> > > >
> > > > [Personally, I don't really like things like this ending up in /tmp,
> > > > as there's no need for it; but it's not obvious to me looking at
> > > > http://www.php.net/manual/en/opcache.configuration.php if there's a
> > > > way to configure things such that the opcache files end up in a php
> > > > specific directory, that we could advocate packagers should make as
> > > > the default.]
> > >
> > > Blech. Annoying php.
> >
> > Yes. This took a long time to find digging through PHP code to find the
> > file pattern. :)
> >
> > > Maybe add 'owner'? I'm not entirely sure how PHP expects these things to
> > > be used but it feels like a sane thing to require that the reader and
> > > writer be the same uid.
> >
> > Yeah, "owner" seems like a good idea.
>
> Actually, owner for some reason won't work here, at least with tests
> that I've done on Ubuntu 14.04:
>
> type=AVC msg=audit(1403508883.378:14162): apparmor="DENIED" operation="file_lock" profile="/usr/sbin/apache2//DEFAULT_URI" name="/tmp/.ZendSem.dm4CyE" pid=10001 comm="apache2" requested_mask="k" denied_mask="k" fsuid=33 ouid=0
>
> Note that fsuid and ouid differ (the opcache is being generated/opened
> by apache's control process?) and thus restricting owner won't
> allow this.
>
> I'm still unable to find a toggle in php configuration that changes the
> directory these are created in.
PHP, the gift that keeps on giving. Thanks for investigating this, the
original line is fine with me.
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140623/76e47c55/attachment-0001.pgp>
More information about the AppArmor
mailing list