From: Michael Orlitzky <michael@orlitzky.com>
Date: Wed, 27 Dec 2017 01:08:37 +0000 (-0500)
Subject: sapi/fpm/config.m4: add a new --with-fpm-apparmor configure flag.
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=40cdc5f298002a5a3d8386d8fc468cdd226fac59;p=php

sapi/fpm/config.m4: add a new --with-fpm-apparmor configure flag.

The existing AC_FPM_APPARMOR macro (which is always run when FPM is
enabled) checks for the existence of libapparmor, and adds it to $LIBS
if found. The result is an "automagic" dependency on libapparmor that
depends not only on the user's configuration, but also on the build
host's environment.

In particular, this can cause problems if the user just happens to
have libapparmor installed (for testing or development) when he builds
PHP. Later, he may remove libapparmor, not realizing that PHP depends
on it. At that point, FPM will cease to work due to the missing library.

This commit adds a new configure flag called "--with-fpm-apparmor",
defaulting to "no", that enables or disables the feature. The new flag
is used to signal the user's intent; whether or not he wants to use
AppArmor. If he does, then we still check for the existence and
usability of libapparmor; however, it is now an error for the library
to be missing when --with-fpm-apparmor is requested.

Gentoo-bug: https://bugs.gentoo.org/637402
PHP-bug: https://bugs.php.net/bug.php?id=75519
---

diff --git a/sapi/fpm/config.m4 b/sapi/fpm/config.m4
index f71fa710dd..9d2b8c7349 100644
--- a/sapi/fpm/config.m4
+++ b/sapi/fpm/config.m4
@@ -488,22 +488,6 @@ AC_DEFUN([AC_FPM_SELECT],
 	])
 ])
 
-AC_DEFUN([AC_FPM_APPARMOR],
-[
-	AC_MSG_CHECKING([for apparmor])
-
-	SAVED_LIBS="$LIBS"
-	LIBS="$LIBS -lapparmor"
-
-	AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <sys/apparmor.h>]], [[change_hat("test", 0);]])], [
-		AC_DEFINE([HAVE_APPARMOR], 1, [do we have apparmor support?])
-		AC_MSG_RESULT([yes])
-	], [
-		LIBS="$SAVED_LIBS"
-		AC_MSG_RESULT([no])
-	])
-])
-
 AC_MSG_CHECKING(for FPM build)
 if test "$PHP_FPM" != "no"; then
   AC_MSG_RESULT($PHP_FPM)
@@ -521,7 +505,6 @@ if test "$PHP_FPM" != "no"; then
   AC_FPM_DEVPOLL
   AC_FPM_EPOLL
   AC_FPM_SELECT
-  AC_FPM_APPARMOR
 
   PHP_ARG_WITH([fpm-user],,
     [AS_HELP_STRING([[--with-fpm-user[=USER]]],
@@ -548,6 +531,12 @@ if test "$PHP_FPM" != "no"; then
     [no],
     [no])
 
+  PHP_ARG_WITH([fpm-apparmor],,
+    [AS_HELP_STRING([--with-fpm-apparmor],
+      [Support AppArmor confinement through libapparmor])],
+    [no],
+    [no])
+
   if test "$PHP_FPM_SYSTEMD" != "no" ; then
     PKG_CHECK_MODULES([SYSTEMD], [libsystemd >= 209])
 
@@ -580,6 +569,16 @@ if test "$PHP_FPM" != "no"; then
     ])
   fi
 
+  if test "x$PHP_FPM_APPARMOR" != "xno" ; then
+    AC_CHECK_HEADERS([sys/apparmor.h])
+    AC_CHECK_LIB(apparmor, change_hat, [
+      PHP_ADD_LIBRARY(apparmor)
+      AC_DEFINE(HAVE_APPARMOR, 1, [ AppArmor confinement available ])
+    ],[
+      AC_MSG_ERROR(libapparmor required but not found)
+    ])
+  fi
+
   PHP_SUBST_OLD(php_fpm_systemd)
   AC_DEFINE_UNQUOTED(PHP_FPM_SYSTEMD, "$php_fpm_systemd", [fpm systemd service type])