Re: issue with php5 abstraction in apparmor
Since we are past beta now, for Lucid we should probably try to just
make the minimal change required to fix the bug. As such, I think
adjusting the abstractions to have:
/usr/lib{64,}/php5/*/*.so mr,
would be the best approach. I'd prefer to use a regex instead of '/*/'
but since the version seems to be rather free-form, this seems best.
Opinions?
Mostly API_VERSION was just numbers until lucid version. Now it has +
sign and letters. Maybe quick fix would be *.
--
Regards
Dulmandakh
http://www.dulmandakh.com
http://www.twitter.com/dulmandakh/
--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
Re: issue with php5 abstraction in apparmor
On Tue, 2010-03-16 at 19:02 +0100, Nicolas Barcet wrote:
I am pasting bellow an answer from John Johansen whom is not subscribed
to this list.
On 03/14/2010 11:36 AM, DULMANDAKH Sukhbaatar wrote:
As new Ubuntu LTS version is approaching I started to think about
migrating my servers to it. To make future migrations smooth I started
playing with Lucid and testing it. As a part of it I'm creating
apparmor profile for php5-cgi. I found apparmor abstraction for php5
useful, but found two problems in it. First was just easy so I fixed
and filed a bug (#538661 )with patch. And last and bigger is path to
php5 extensions.
thanks
php5's abstraction is allowing php5 to load its extensions from
/usr/lib{64,}/php5/{libexec,extensions}/, but php5-* packages in
ubuntu install extensions in /usr/lib/php5/PHP_API_VERSION or
/usr/lib/php5/20090626+lfs in Lucid. so php5 cannot load extensions,
I was thinking about solutions to it and found three of them. First,
let's change abstraction so php5 can load extenstions from
/usr/lib/php5/**. Secone one is just change path in php5 abstraction
file to include PHP_API_VERSION, and make such change in every
release. Last one is change php5 packaging so it'll install extension
in fixed directory.
fourth: use a variable to describe extension locations
- basically the same your second solution, except the change is
centralized to a variable.
@{PHP_EXTENSIONS}=/usr/lib{64,}/php5/{libexec,extensions}/
/usr/lib{64,}/PHP_API_VERSION
I know this is already basically centralized in the include but the
variable would allow it to be used separate from the include too.
It also allows easy extension of the abstractions by just assigning
a new value to it.
@{PHP_EXTENSIONS}+=/some/new/path
The variable gives the option of having rules that reference
PHP_EXTENSIONS with different permissions. I am not sure how
useful that would be atm.
Another option that can be used on its own or with the variable is
using a directory include, in the php abstraction and then dropping
extensions to the abstraction in that dir. Basically the directory
include will include any file in the directory, so to expand the
abstraction you can just drop in a new file. This can aid packaging,
as different packages can then drop relevant bits into a file owned
by the package.
When combined with the variable, it can extend the variable and thus
all rules referencing it.
Since we are past beta now, for Lucid we should probably try to just
make the minimal change required to fix the bug. As such, I think
adjusting the abstractions to have:
/usr/lib{64,}/php5/*/*.so mr,
would be the best approach. I'd prefer to use a regex instead of '/*/'
but since the version seems to be rather free-form, this seems best.
Opinions?
--
Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digitally signed message part
--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
Re: issue with php5 abstraction in apparmor
I am pasting bellow an answer from John Johansen whom is not subscribed
to this list.
On 03/14/2010 11:36 AM, DULMANDAKH Sukhbaatar wrote:
As new Ubuntu LTS version is approaching I started to think about
migrating my servers to it. To make future migrations smooth I started
playing with Lucid and testing it. As a part of it I'm creating
apparmor profile for php5-cgi. I found apparmor abstraction for php5
useful, but found two problems in it. First was just easy so I fixed
and filed a bug (#538661 )with patch. And last and bigger is path to
php5 extensions.
thanks
php5's abstraction is allowing php5 to load its extensions from
/usr/lib{64,}/php5/{libexec,extensions}/, but php5-* packages in
ubuntu install extensions in /usr/lib/php5/PHP_API_VERSION or
/usr/lib/php5/20090626+lfs in Lucid. so php5 cannot load extensions,
I was thinking about solutions to it and found three of them. First,
let's change abstraction so php5 can load extenstions from
/usr/lib/php5/**. Secone one is just change path in php5 abstraction
file to include PHP_API_VERSION, and make such change in every
release. Last one is change php5 packaging so it'll install extension
in fixed directory.
fourth: use a variable to describe extension locations
- basically the same your second solution, except the change is
centralized to a variable.
@{PHP_EXTENSIONS}=/usr/lib{64,}/php5/{libexec,extensions}/
/usr/lib{64,}/PHP_API_VERSION
I know this is already basically centralized in the include but the
variable would allow it to be used separate from the include too.
It also allows easy extension of the abstractions by just assigning
a new value to it.
@{PHP_EXTENSIONS}+=/some/new/path
The variable gives the option of having rules that reference
PHP_EXTENSIONS with different permissions. I am not sure how
useful that would be atm.
Another option that can be used on its own or with the variable is
using a directory include, in the php abstraction and then dropping
extensions to the abstraction in that dir. Basically the directory
include will include any file in the directory, so to expand the
abstraction you can just drop in a new file. This can aid packaging,
as different packages can then drop relevant bits into a file owned
by the package.
When combined with the variable, it can extend the variable and thus
all rules referencing it.
signature.asc
Description: OpenPGP digital signature
--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
