mirror of
https://github.com/php/php-src.git
synced 2024-09-26 20:37:29 +00:00
Add apparmor change hat functionality to fpm
This commit is contained in:
parent
c28e77cbbc
commit
a90a93f1a4
@ -536,6 +536,22 @@ AC_DEFUN([AC_FPM_SELECT],
|
|||||||
])
|
])
|
||||||
dnl }}}
|
dnl }}}
|
||||||
|
|
||||||
|
AC_DEFUN([AC_FPM_APPARMOR],
|
||||||
|
[
|
||||||
|
AC_MSG_CHECKING([for apparmor])
|
||||||
|
|
||||||
|
SAVED_LIBS="$LIBS"
|
||||||
|
LIBS="$LIBS -lapparmor"
|
||||||
|
|
||||||
|
AC_TRY_LINK([ #include <sys/apparmor.h> ], [change_hat("test", 0);], [
|
||||||
|
AC_DEFINE([HAVE_APPARMOR], 1, [do we have apparmor support?])
|
||||||
|
AC_MSG_RESULT([yes])
|
||||||
|
], [
|
||||||
|
LIBS="$SAVED_LIBS"
|
||||||
|
AC_MSG_RESULT([no])
|
||||||
|
])
|
||||||
|
])
|
||||||
|
|
||||||
|
|
||||||
AC_MSG_CHECKING(for FPM build)
|
AC_MSG_CHECKING(for FPM build)
|
||||||
if test "$PHP_FPM" != "no"; then
|
if test "$PHP_FPM" != "no"; then
|
||||||
@ -555,6 +571,7 @@ if test "$PHP_FPM" != "no"; then
|
|||||||
AC_FPM_EPOLL
|
AC_FPM_EPOLL
|
||||||
AC_FPM_POLL
|
AC_FPM_POLL
|
||||||
AC_FPM_SELECT
|
AC_FPM_SELECT
|
||||||
|
AC_FPM_APPARMOR
|
||||||
|
|
||||||
PHP_ARG_WITH(fpm-user,,
|
PHP_ARG_WITH(fpm-user,,
|
||||||
[ --with-fpm-user[=USER] Set the user for php-fpm to run as. (default: nobody)], nobody, no)
|
[ --with-fpm-user[=USER] Set the user for php-fpm to run as. (default: nobody)], nobody, no)
|
||||||
|
@ -149,6 +149,9 @@ static struct ini_value_parser_s ini_fpm_pool_options[] = {
|
|||||||
{ "chdir", &fpm_conf_set_string, WPO(chdir) },
|
{ "chdir", &fpm_conf_set_string, WPO(chdir) },
|
||||||
{ "catch_workers_output", &fpm_conf_set_boolean, WPO(catch_workers_output) },
|
{ "catch_workers_output", &fpm_conf_set_boolean, WPO(catch_workers_output) },
|
||||||
{ "security.limit_extensions", &fpm_conf_set_string, WPO(security_limit_extensions) },
|
{ "security.limit_extensions", &fpm_conf_set_string, WPO(security_limit_extensions) },
|
||||||
|
#ifdef HAVE_APPARMOR
|
||||||
|
{ "apparmor_hat", &fpm_conf_set_string, WPO(apparmor_hat) },
|
||||||
|
#endif
|
||||||
{ 0, 0, 0 }
|
{ 0, 0, 0 }
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -644,6 +647,9 @@ int fpm_worker_pool_config_free(struct fpm_worker_pool_config_s *wpc) /* {{{ */
|
|||||||
free(wpc->chroot);
|
free(wpc->chroot);
|
||||||
free(wpc->chdir);
|
free(wpc->chdir);
|
||||||
free(wpc->security_limit_extensions);
|
free(wpc->security_limit_extensions);
|
||||||
|
#ifdef HAVE_APPARMOR
|
||||||
|
free(wpc->apparmor_hat);
|
||||||
|
#endif
|
||||||
|
|
||||||
for (kv = wpc->php_values; kv; kv = kv_next) {
|
for (kv = wpc->php_values; kv; kv = kv_next) {
|
||||||
kv_next = kv->next;
|
kv_next = kv->next;
|
||||||
|
@ -87,6 +87,9 @@ struct fpm_worker_pool_config_s {
|
|||||||
struct key_value_s *env;
|
struct key_value_s *env;
|
||||||
struct key_value_s *php_admin_values;
|
struct key_value_s *php_admin_values;
|
||||||
struct key_value_s *php_values;
|
struct key_value_s *php_values;
|
||||||
|
#ifdef HAVE_APPARMOR
|
||||||
|
char *apparmor_hat;
|
||||||
|
#endif
|
||||||
};
|
};
|
||||||
|
|
||||||
struct ini_value_parser_s {
|
struct ini_value_parser_s {
|
||||||
|
@ -17,6 +17,10 @@
|
|||||||
#include <sys/prctl.h>
|
#include <sys/prctl.h>
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#ifdef HAVE_APPARMOR
|
||||||
|
#include <sys/apparmor.h>
|
||||||
|
#endif
|
||||||
|
|
||||||
#include "fpm.h"
|
#include "fpm.h"
|
||||||
#include "fpm_conf.h"
|
#include "fpm_conf.h"
|
||||||
#include "fpm_cleanup.h"
|
#include "fpm_cleanup.h"
|
||||||
@ -222,6 +226,32 @@ int fpm_unix_init_child(struct fpm_worker_pool_s *wp) /* {{{ */
|
|||||||
if (0 > fpm_clock_init()) {
|
if (0 > fpm_clock_init()) {
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifdef HAVE_APPARMOR
|
||||||
|
if (wp->config->apparmor_hat) {
|
||||||
|
char *con, *new_con;
|
||||||
|
if (aa_getcon(&con, NULL) == -1) {
|
||||||
|
zlog(ZLOG_SYSERROR, "[pool %s] failed to query apparmor confinement. Please check if \"/proc/*/attr/current\" is read and writeable.", wp->config->name);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
new_con = malloc(strlen(con) + strlen(wp->config->apparmor_hat) + 3); // // + 0 Byte
|
||||||
|
if (!new_con) {
|
||||||
|
zlog(ZLOG_SYSERROR, "[pool %s] failed to allocate memory for apparmor hat change.", wp->config->name);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
if (0 > sprintf(new_con, "%s//%s", con, wp->config->apparmor_hat)) {
|
||||||
|
zlog(ZLOG_SYSERROR, "[pool %s] failed to construct apparmor confinement.", wp->config->name);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
if (0 > aa_change_profile(new_con)) {
|
||||||
|
zlog(ZLOG_SYSERROR, "[pool %s] failed to change to new confinement (%s). Please check if \"/proc/*/attr/current\" is read and writeable and \"change_profile -> %s//*\" is allowed.", wp->config->name, new_con, con);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
free(con);
|
||||||
|
free(new_con);
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
/* }}} */
|
/* }}} */
|
||||||
|
Loading…
Reference in New Issue
Block a user