])
dnl }}}
+AC_DEFUN([AC_FPM_APPARMOR],
+[
+ AC_MSG_CHECKING([for apparmor])
+
+ SAVED_LIBS="$LIBS"
+ LIBS="$LIBS -lapparmor"
+
+ AC_TRY_LINK([ #include <sys/apparmor.h> ], [change_hat("test", 0);], [
+ AC_DEFINE([HAVE_APPARMOR], 1, [do we have apparmor support?])
+ AC_MSG_RESULT([yes])
+ ], [
+ LIBS="$SAVED_LIBS"
+ AC_MSG_RESULT([no])
+ ])
+])
+
AC_MSG_CHECKING(for FPM build)
if test "$PHP_FPM" != "no"; then
AC_FPM_EPOLL
AC_FPM_POLL
AC_FPM_SELECT
+ AC_FPM_APPARMOR
PHP_ARG_WITH(fpm-user,,
[ --with-fpm-user[=USER] Set the user for php-fpm to run as. (default: nobody)], nobody, no)
{ "chdir", &fpm_conf_set_string, WPO(chdir) },
{ "catch_workers_output", &fpm_conf_set_boolean, WPO(catch_workers_output) },
{ "security.limit_extensions", &fpm_conf_set_string, WPO(security_limit_extensions) },
+#ifdef HAVE_APPARMOR
+ { "apparmor_hat", &fpm_conf_set_string, WPO(apparmor_hat) },
+#endif
{ 0, 0, 0 }
};
free(wpc->chroot);
free(wpc->chdir);
free(wpc->security_limit_extensions);
+#ifdef HAVE_APPARMOR
+ free(wpc->apparmor_hat);
+#endif
for (kv = wpc->php_values; kv; kv = kv_next) {
kv_next = kv->next;
struct key_value_s *env;
struct key_value_s *php_admin_values;
struct key_value_s *php_values;
+#ifdef HAVE_APPARMOR
+ char *apparmor_hat;
+#endif
};
struct ini_value_parser_s {
#include <sys/prctl.h>
#endif
+#ifdef HAVE_APPARMOR
+#include <sys/apparmor.h>
+#endif
+
#include "fpm.h"
#include "fpm_conf.h"
#include "fpm_cleanup.h"
if (0 > fpm_clock_init()) {
return -1;
}
+
+#ifdef HAVE_APPARMOR
+ if (wp->config->apparmor_hat) {
+ char *con, *new_con;
+ if (aa_getcon(&con, NULL) == -1) {
+ zlog(ZLOG_SYSERROR, "[pool %s] failed to query apparmor confinement. Please check if \"/proc/*/attr/current\" is read and writeable.", wp->config->name);
+ return -1;
+ }
+ new_con = malloc(strlen(con) + strlen(wp->config->apparmor_hat) + 3); // // + 0 Byte
+ if (!new_con) {
+ zlog(ZLOG_SYSERROR, "[pool %s] failed to allocate memory for apparmor hat change.", wp->config->name);
+ return -1;
+ }
+ if (0 > sprintf(new_con, "%s//%s", con, wp->config->apparmor_hat)) {
+ zlog(ZLOG_SYSERROR, "[pool %s] failed to construct apparmor confinement.", wp->config->name);
+ return -1;
+ }
+ if (0 > aa_change_profile(new_con)) {
+ zlog(ZLOG_SYSERROR, "[pool %s] failed to change to new confinement (%s). Please check if \"/proc/*/attr/current\" is read and writeable and \"change_profile -> %s//*\" is allowed.", wp->config->name, new_con, con);
+ return -1;
+ }
+ free(con);
+ free(new_con);
+ }
+#endif
+
return 0;
}
/* }}} */
projects / php / commitdiff