Apparmor is a mandatory access module for the linux kernel. It works by enforcing policies on different applications. Apparmor also provides functionality for applications to change to a different hat. With this mechanism it is possible to change to a different set of policies in the application.
Add functionality to php-fpm to support the additional parameter apparmor_hat in the pool config. Upon spawning a new worker, the worker tries to change to this specific hat. With this feature it is easier for shared hosters to isolate and/or restrict different users. This approach has the advantage over unix access rights, that the apparmor policies allow for a more fine grained control.
Describe any new constants so they can be accurately and comprehensively explained in the PHP documentation.
This is inspired by the module which does the same thing for apache.
Voting started on 23.06.2013 and ends on 1.07.2013.