php-fpm (1704B)
- # vim: ft=apparmor
- abi <abi/3.0>,
- include <tunables/global>
- profile php-fpm /usr/sbin/php-fpm* flags=(attach_disconnected) {
- # load common libraries and their support files
- include <abstractions/base>
- # resolve hostnames/usernames
- include <abstractions/nameservice>
- # common php files and support files that php needs
- include <abstractions/php>
- # read openssl configuration
- include <abstractions/openssl>
- # read the system certificates
- include <abstractions/ssl_certs>
- capability net_admin,
- # change user/group of a pool
- capability setuid,
- capability setgid,
- # change ownership of the socket so that we can launch with a different user/group as the socket will be owned by
- capability chown,
- # we want to be able to kill our child processes
- capability kill,
- # to provide sockets with acls different than root
- capability dac_override,
- # we need write access here to move it into a different apparmor sub profile
- @{PROC}/@{pid}/attr/{apparmor/,}current rw,
- # the main log file
- /var/log/php*-fpm.log rw,
- # we need to be able to create all sockets
- @{run}/php{,-fpm}/php*-fpm.pid rw,
- @{run}/php*-fpm.pid rw,
- @{run}/php{,-fpm}/php*-fpm.sock rwlk,
- # to reload
- /usr/sbin/php-fpm* rix,
- # no idea why php tries to open / read/write
- deny / rw,
- # allow sending signals to our subprocesses
- signal (send) peer=php-fpm//*,
- # allow switching processes to those subprofiles
- change_profile -> php-fpm//*,
- # load all files from this directory
- # store your configurations per pool in this dir
- include if exists <php-fpm.d>
- # Site-specific additions and overrides. See local/README for details.
- include if exists <local/php-fpm>
- }