PHP RFC: Apparmor change_hat functionality for php-fpm
Apparmor is a mandatory access module for the linux kernel. It works by enforcing policies on different applications. Apparmor also provides functionality for applications to change to a different hat. With this mechanism it is possible to change to a different set of policies in the application.
Add functionality to php-fpm to support the additional parameter apparmor_hat in the pool config. Upon spawning a new worker, the worker tries to change to this specific hat. With this feature it is easier for shared hosters to isolate and/or restrict different users. This approach has the advantage over unix access rights, that the apparmor policies allow for a more fine grained control.
- It should not be possible to change back, since this might be possible from php code. The proposed patch prevents this.
- Because of this the apparmor_hat is per pool.
- This needs libapparmor. The proposed patch (Pull Request 373 on github) checks for libapparmor on compilation and omits the feature if it is not found.
- If the feature is not compiled in, but expected, php-fpm does not start up, because it does not know the pool parameter.
Backward Incompatible Changes
Proposed PHP Version(s)
- next PHP 5.x
- should be easily backportable to all php versions which include fpm since it does not enforce any libraries and does nothing if not configured
- Only fpm
Impact to Existing Extensions
Describe any new constants so they can be accurately and comprehensively explained in the PHP documentation.
- There are no defaults. If 'change_hat' is ommited from the pool config, then the hat will not be changed.
Patches and Tests
This is inspired by the module which does the same thing for apache.
Voting started on 23.06.2013 and ends on 1.07.2013.