Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add apparmor_hat support to php::fpm::pool #524

Merged
merged 4 commits into from
Sep 2, 2020
Merged

Add apparmor_hat support to php::fpm::pool #524

merged 4 commits into from
Sep 2, 2020

Conversation

simondeziel
Copy link
Contributor

Pull Request (PR) description

Add support for apparmor_hat directive. This allows a php-fpm binary contained by an Apparmor profile to switch to a more specific profile (hat in apparmor parlance) tailored to the FPM pool serving the request.

Here is an example of Apparmor profile including a hat called 'foo' for the pool serving a WordPress instance:

# Author: Simon Deziel
# vim:syntax=apparmor
#include <tunables/global>

/usr/sbin/php-fpm7.2 {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/php>

  capability chown,
  capability dac_override,
  capability kill,
  capability setuid,
  capability setgid,
  capability sys_chroot,

  # slowlog
  capability sys_ptrace,
  ptrace (trace) peer=/usr/sbin/php-fpm7.2//*,

  /etc/php/7.2/fpm/php-fpm.conf  r,
  /etc/php/7.2/fpm/pool.d/*.conf r,
  /etc/ssl/openssl.cnf r,
  /usr/sbin/php-fpm7.2 rmix,

  owner /var/log/php7.2-fpm.log w,
  owner /var/log/php-fpm/*.log.slow rw,
  /run/php/php7.2-fpm.pid w,
  /run/systemd/notify w,

  # Unix sockets
  /run/php/*.sock rw,

  # XXX: weird that php7.2-fpm tests writing to /
  deny / rw,

  # aa_change_hat
  @{PROC}/@{pids}/attr/current rw,
  signal (send) set=(cont,quit,kill,term) peer=/usr/sbin/php-fpm7.2//*,
  change_profile /usr/sbin/php-fpm7.2 -> /usr/sbin/php-fpm7.2//*,
  # hats
  ^foo {
    #include <abstractions/base>
    #include <abstractions/nameservice>
    #include <abstractions/php>

    signal (receive) set=(cont,kill,quit,term) peer=/usr/sbin/php-fpm7.2,

    /usr/sbin/php-fpm7.2 mr,

    /var/log/php-fpm/foo-slow.log w,

    # Unix sockets
    /run/php/foo-fpm.sock rw,
    /run/mysqld/mysqld.sock rw,

    audit deny /var/www/foo/**.php w,
    /var/www/foo/** r,
    owner /var/www/foo/wp-content/** w,
  }
}

The php-fpm config would contain this:

# /etc/php/7.2/fpm/pool.d/foo.conf
[foo]
...
; Apparmor hat to change to
apparmor_hat = foo

Note: the above profile was tested on Ubuntu 18.04 with php-fpm from the Ubuntu repos. This version is compiled with Apparmor hat support which might not be the case for every distros.

bastelfreak
bastelfreak reviewed Aug 18, 2019
View reviewed changes
manifests/fpm/pool.pp Outdated Show resolved Hide resolved
@bastelfreak bastelfreak added enhancement New feature or request needs-tests labels Aug 18, 2019
@simondeziel
Copy link
Contributor Author

simondeziel commented Aug 27, 2019
edited
Loading

  • add data type
  • unit test

@vox-pupuli-tasks
Copy link

Dear @simondeziel, thanks for the PR!

This is pccibot, your friendly Vox Pupuli GitHub Bot. I noticed that your pull request contains merge conflict. Can you please rebase?

You can find my sourcecode at voxpupuli/vox-pupuli-tasks

bastelfreak
bastelfreak reviewed Sep 2, 2020
View reviewed changes
manifests/fpm/pool.pp Outdated Show resolved Hide resolved
@bastelfreak
Copy link
Member

thanks for the PR!

@bastelfreak bastelfreak merged commit 332e3bc into voxpupuli:master Sep 2, 2020
@simondeziel
Copy link
Contributor Author

That's indeed a good addition to not permit an empty string, thanks for that and taking care of this module!

@simondeziel simondeziel deleted the apparmor branch September 2, 2020 18:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bastelfreak bastelfreak bastelfreak left review comments

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@simondeziel @bastelfreak