====== PHP RFC: Apparmor change_hat functionality for php-fpm ======
  * Version: 0.9
  * Date: 2013-06-09
  * Author: Gernot Vormayr, gvormayr@gmail.com
  * Status: Implemented (PHP 5.6) https://github.com/php/php-src/pull/373
  * First Published at: http://wiki.php.net/rfc/fpm_change_hat


===== Introduction =====

Apparmor is a mandatory access module for the linux kernel. It works by enforcing policies on different applications. Apparmor also provides functionality for applications to change to a different //hat//. With this mechanism it is possible to change to a different set of policies in the application.

===== Proposal =====

Add functionality to php-fpm to support the additional parameter **//apparmor_hat//** in the pool config. Upon spawning a new worker, the worker tries to change to this specific hat. With this feature it is easier for shared hosters to isolate and/or restrict different users. This approach has the advantage over unix access rights, that the apparmor policies allow for a more fine grained control.

  * It should not be possible to change back, since this might be possible from php code. The proposed patch prevents this.
    * Because of this the apparmor_hat is per pool.
  * This needs libapparmor. The proposed patch ([[https://github.com/php/php-src/pull/373|Pull Request 373 on github]]) checks for libapparmor on compilation and omits the feature if it is not found.
  * If the feature is not compiled in, but expected, php-fpm does not start up, because it does not know the pool parameter.

===== Backward Incompatible Changes =====

  * None

===== Proposed PHP Version(s) =====

  * next PHP 5.x
  * should be easily backportable to all php versions which include fpm since it does not enforce any libraries and does nothing if not configured

===== SAPIs Impacted =====

  * Only fpm

===== Impact to Existing Extensions =====

  * None

===== New Constants =====

Describe any new constants so they can be accurately and comprehensively explained in the PHP documentation.

===== php.ini Defaults =====

  * There are no defaults. If 'change_hat' is ommited from the pool config, then the hat will not be changed.

===== Patches and Tests =====

  * Full patch: <del>[[https://github.com/php/php-src/pull/343|Pull Request 343 on github]]</del> [[https://github.com/php/php-src/pull/373|Pull Request 373 on github]]

===== References =====

This is inspired by the [[http://wiki.apparmor.net/index.php/Mod_apparmor_example|module]] which does the same thing for apache.

===== Rejected Features =====

===== Vote =====

Voting started on 23.06.2013 and ends on 1.07.2013.

<doodle title="RFC/fpm_change_hat" auth="user" voteType="multi" closed="true">
   * Yes?
   * No?
</doodle>