This is an old revision of the document!
PHP RFC: Apparmor change_hat functionality for php-fpm
- Version: 0.9
- Date: 2013-06-09
- Author: Gernot Vormayr, gvormayr@gmail.com
- Status: Under Discussion
- First Published at: http://wiki.php.net/rfc/fpm_change_hat
Introduction
Apparmor is a mandatory access module for the linux kernel. It works by enforcing policies on different applications. Apparmor also provides functionality for applications to change to a different hat. With this mechanism it is possible to change to a different set of policies in the application.
Proposal
Add functionality to php-fpm to support the additional parameter apparmor_hat in the pool config. Upon spawning a new worker, the worker tries to change to this specific hat. With this feature it is easier for shared hosters to isolate and/or restrict different users. This approach has the advantage over unix access rights, that the apparmor policies allow for a more fine grained control.
- It should not be possible to change back, since this might be possible from php code. The proposed patch prevents this.
- Because of this the apparmor_hat is per pool.
- This needs libapparmor. The proposed patch (Pull Request 343 on github) checks for libapparmor on compilation and omits the feature if it is not found.
- If the feature is not compiled in, but expected, php-fpm does not start up, because it does not know the pool parameter.
Backward Incompatible Changes
- None
Proposed PHP Version(s)
- next PHP 5.x
- should be easily backportable to all php versions which include fpm since it does not enforce any libraries and does nothing if not configured
SAPIs Impacted
- Only fpm
Impact to Existing Extensions
- None
New Constants
Describe any new constants so they can be accurately and comprehensively explained in the PHP documentation.
php.ini Defaults
- There are no defaults. If 'change_hat' is ommited from the pool config, then the hat will not be changed.
Patches and Tests
- Full patch: Pull Request 343 on github
References
This is inspired by the module which does the same thing for apache.
Rejected Features
Vote
Voting started on 23.06.2013 and ends on 1.07.2013.