rfc:fpm_change_hat
no way to compare when less than two revisions
Differences
This shows you the differences between two versions of the page.
Previous revisionNext revision | |||
— | rfc:fpm_change_hat [2013/06/09 14:58] – changed to under discussion notti | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== PHP RFC: Apparmor change_hat functionality for php-fpm ====== | ||
+ | * Version: 0.9 | ||
+ | * Date: 2013-06-09 | ||
+ | * Author: Gernot Vormayr, gvormayr@gmail.com | ||
+ | * Status: Under Discussion | ||
+ | * First Published at: http:// | ||
+ | |||
+ | |||
+ | ===== Introduction ===== | ||
+ | |||
+ | Apparmor is a mandatory access module for the linux kernel. It works by enforcing policies on different applications. Apparmor also provides functionality for applications to change to a different //hat//. With this mechanism it is possible to change to a different set of policies in the application. | ||
+ | |||
+ | ===== Proposal ===== | ||
+ | |||
+ | Add functionality to php-fpm to support the additional parameter **// | ||
+ | |||
+ | * It should not be possible to change back, since this might be possible from php code. The proposed patch prevents this. | ||
+ | * Because of this the apparmor_hat is per pool. | ||
+ | * This needs libapparmor. The proposed patch ([[https:// | ||
+ | * If the feature is not compiled in, but expected, php-fpm does not start up, because it does not know the pool parameter. | ||
+ | |||
+ | ===== Backward Incompatible Changes ===== | ||
+ | |||
+ | * None | ||
+ | |||
+ | ===== Proposed PHP Version(s) ===== | ||
+ | |||
+ | * next PHP 5.x | ||
+ | * should be easily backportable to all php versions which include fpm since it does not enforce any libraries and does nothing if not configured | ||
+ | |||
+ | ===== SAPIs Impacted ===== | ||
+ | |||
+ | * Only fpm | ||
+ | |||
+ | ===== Impact to Existing Extensions ===== | ||
+ | |||
+ | * None | ||
+ | |||
+ | ===== New Constants ===== | ||
+ | |||
+ | Describe any new constants so they can be accurately and comprehensively explained in the PHP documentation. | ||
+ | |||
+ | ===== php.ini Defaults ===== | ||
+ | |||
+ | * There are no defaults. If ' | ||
+ | |||
+ | ===== Patches and Tests ===== | ||
+ | |||
+ | * Full patch: [[https:// | ||
+ | |||
+ | ===== References ===== | ||
+ | |||
+ | This is inspired by the [[http:// | ||
+ | |||
+ | ===== Rejected Features ===== |
rfc/fpm_change_hat.txt · Last modified: 2017/09/22 13:28 by 127.0.0.1