rfc:fpm_change_hat
no way to compare when less than two revisions

Differences

This shows you the differences between two versions of the page.


Previous revision
Next revision
rfc:fpm_change_hat [2013/06/09 14:58] – changed to under discussion notti
Line 1: Line 1:
  
 +====== PHP RFC: Apparmor change_hat functionality for php-fpm ======
 +  * Version: 0.9
 +  * Date: 2013-06-09
 +  * Author: Gernot Vormayr, gvormayr@gmail.com
 +  * Status: Under Discussion
 +  * First Published at: http://wiki.php.net/rfc/fpm_change_hat
 +
 +
 +===== Introduction =====
 +
 +Apparmor is a mandatory access module for the linux kernel. It works by enforcing policies on different applications. Apparmor also provides functionality for applications to change to a different //hat//. With this mechanism it is possible to change to a different set of policies in the application.
 +
 +===== Proposal =====
 +
 +Add functionality to php-fpm to support the additional parameter **//apparmor_hat//** in the pool config. Upon spawning a new worker, the worker tries to change to this specific hat. With this feature it is easier for shared hosters to isolate and/or restrict different users. This approach has the advantage over unix access rights, that the apparmor policies allow for a more fine grained control.
 +
 +  * It should not be possible to change back, since this might be possible from php code. The proposed patch prevents this.
 +    * Because of this the apparmor_hat is per pool.
 +  * This needs libapparmor. The proposed patch ([[https://github.com/php/php-src/pull/343|Pull Request 343 on github]]) checks for libapparmor on compilation and omits the feature if it is not found.
 +  * If the feature is not compiled in, but expected, php-fpm does not start up, because it does not know the pool parameter.
 +
 +===== Backward Incompatible Changes =====
 +
 +  * None
 +
 +===== Proposed PHP Version(s) =====
 +
 +  * next PHP 5.x
 +  * should be easily backportable to all php versions which include fpm since it does not enforce any libraries and does nothing if not configured
 +
 +===== SAPIs Impacted =====
 +
 +  * Only fpm
 +
 +===== Impact to Existing Extensions =====
 +
 +  * None
 +
 +===== New Constants =====
 +
 +Describe any new constants so they can be accurately and comprehensively explained in the PHP documentation.
 +
 +===== php.ini Defaults =====
 +
 +  * There are no defaults. If 'change_hat' is ommited from the pool config, then the hat will not be changed.
 +
 +===== Patches and Tests =====
 +
 +  * Full patch: [[https://github.com/php/php-src/pull/343|Pull Request 343 on github]]
 +
 +===== References =====
 +
 +This is inspired by the [[http://wiki.apparmor.net/index.php/Mod_apparmor_example|module]] which does the same thing for apache.
 +
 +===== Rejected Features =====
rfc/fpm_change_hat.txt · Last modified: 2017/09/22 13:28 by 127.0.0.1

Page Tools