Hi!

The basic idea behind this is to get a better seperation of different php
pools (so e.g. php scripts from one pool can't access the other and vice
versa).

I did a small patch (https://github.com/php/php-src/pull/343) that adds a
configuration parameter to pools (apparmor_hat). If this is set, workers of
the pool try to change the apparmor hat to the specified value.
The patch only touches fpm. Only thing that's needed is libapparmor - if it
is not there the functionality just gets left out.

To keep things simple this version is very coarse - meaning it is not
possible to change the hat back, or change to a different hat according to
the executed script.


Any thoughts on this?

Cheers,
Gernot

Reply via email to