Hi! The basic idea behind this is to get a better seperation of different php pools (so e.g. php scripts from one pool can't access the other and vice versa).
I did a small patch (https://github.com/php/php-src/pull/343) that adds a configuration parameter to pools (apparmor_hat). If this is set, workers of the pool try to change the apparmor hat to the specified value. The patch only touches fpm. Only thing that's needed is libapparmor - if it is not there the functionality just gets left out. To keep things simple this version is very coarse - meaning it is not possible to change the hat back, or change to a different hat according to the executed script. Any thoughts on this? Cheers, Gernot
