[apparmor] [patch] abstractions/php: allow access to conf.d/ config files

Christian Boltz apparmor at cboltz.de
Mon Sep 8 19:32:44 UTC 2014 

Hello,

this was somehow lost half a year ago - let me propose it as an official 
patch now...

[not shortening the quoting so that you know what I'm talking about]

Am Montag, 28. April 2014 schrieb Christian Boltz:
> Am Montag, 28. April 2014 schrieb Felix Geyer:
> > On Ubuntu trusty the php package creates config symlinks in
> > /etc/php5/cli/conf.d/, /etc/php5/cgi/conf.d/ and
> > /etc/php5/fpm/conf.d/ to /etc/php5/mods-available/.
> > 
> > For example:
> > % ls -ahl /etc/php5/cgi/conf.d/
> > total 4.0K
> > lrwxrwxrwx 1 root root   32 Apr 24 01:00 05-opcache.ini ->
> > ../../mods-available/opcache.ini [...]
> > 
> > Allow access to these paths.
> > I have split the rules in order to not have long lines.
> > 
> > === modified file 'profiles/apparmor.d/abstractions/php5'
> > --- profiles/apparmor.d/abstractions/php5	2010-03-30 17:34:32
> > +++ profiles/apparmor.d/abstractions/php5	2014-04-28 21:18:08
> > 
> >    # shared snippets for config files
> > 
> > -  /etc/php5/{conf.d,apache2,cli,fastcgi,cgi}/ r,
> > -  /etc/php5/{conf.d,apache2,cli,fastcgi,cgi}/*.ini r,
> > +  /etc/php5/{conf.d,mods-available}/ r,
> > +
> > /etc/php5/{apache2,cli,cli/conf.d,fastcgi,cgi,cgi/conf.d,fpm,fpm/con
> > f
> > .d}/ r, +  /etc/php5/{conf.d,mods-available}/*.ini r,
> > +
> > /etc/php5/{apache2,cli,cli/conf.d,fastcgi,cgi,cgi/conf.d,fpm,fpm/con
> > f
> > .d}/*.ini r,
> 
> I somehow doubt there are files or directories in /etc/php5/ that PHP
> shouldn't be allowed to read ;-)
> 
> Therefore I propose to make the rules much simpler:
>     /etc/php5/**/ r,
>     /etc/php5/**.ini r,

So here's the patch to implement this:

=== modified file 'profiles/apparmor.d/abstractions/php5'
--- profiles/apparmor.d/abstractions/php5       2014-06-24 17:53:00 
+++ profiles/apparmor.d/abstractions/php5       2014-09-08 19:31:13 
@@ -11,8 +11,8 @@
 # ------------------------------------------------------------------
 
   # shared snippets for config files
-  /etc/php5/{conf.d,apache2,cli,fastcgi,cgi}/ r,
-  /etc/php5/{conf.d,apache2,cli,fastcgi,cgi}/*.ini r,
+  /etc/php5/**/ r,
+  /etc/php5/**.ini r,
 
   # Xlibs
   /usr/X11R6/lib{,32,64}/lib*.so* mr,




Regards,

Christian Boltz
-- 
Es könnte zum Beispiel sein, daß Du inzwischen besser bist als
95% der anderen Teilnehmer hier. Das ist für mindestens 45% der
Leute, die das von sich glauben jedoch nicht der Fall. :-)
[Kristian Koehntopp in suse-linux]

More information about the AppArmor mailing list