Re: issue with php5 abstraction in apparmor
> Since we are past beta now, for Lucid we should probably try to just > make the minimal change required to fix the bug. As such, I think > adjusting the abstractions to have: > /usr/lib{64,}/php5/*/*.so mr, > > would be the best approach. I'd prefer to use a regex instead of '/*/' > but since the version seems to be rather free-form, this seems best. > Opinions? Mostly API_VERSION was just numbers until lucid version. Now it has + sign and letters. Maybe quick fix would be *. -- Regards Dulmandakh http://www.dulmandakh.com http://www.twitter.com/dulmandakh/ -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: issue with php5 abstraction in apparmor
On Tue, 2010-03-16 at 19:02 +0100, Nicolas Barcet wrote: > I am pasting bellow an answer from John Johansen whom is not subscribed > to this list. > > On 03/14/2010 11:36 AM, DULMANDAKH Sukhbaatar wrote: > > As new Ubuntu LTS version is approaching I started to think about > > > migrating my servers to it. To make future migrations smooth I started > > > playing with Lucid and testing it. As a part of it I'm creating > > > apparmor profile for php5-cgi. I found apparmor abstraction for php5 > > > useful, but found two problems in it. First was just easy so I fixed > > > and filed a bug (#538661 )with patch. And last and bigger is path to > > > php5 extensions. > > thanks > > > > > > > php5's abstraction is allowing php5 to load its extensions from > > > /usr/lib{64,}/php5/{libexec,extensions}/, but php5-* packages in > > > ubuntu install extensions in /usr/lib/php5/PHP_API_VERSION or > > > /usr/lib/php5/20090626+lfs in Lucid. so php5 cannot load extensions, > > > > > > I was thinking about solutions to it and found three of them. First, > > > let's change abstraction so php5 can load extenstions from > > > /usr/lib/php5/**. Secone one is just change path in php5 abstraction > > > file to include PHP_API_VERSION, and make such change in every > > > release. Last one is change php5 packaging so it'll install extension > > > in fixed directory. > > > > > fourth: use a variable to describe extension locations > - basically the same your second solution, except the change is > centralized to a variable. > > @{PHP_EXTENSIONS}=/usr/lib{64,}/php5/{libexec,extensions}/ > /usr/lib{64,}/PHP_API_VERSION > > I know this is already basically centralized in the include but the > variable would allow it to be used separate from the include too. > It also allows easy extension of the abstractions by just assigning > a new value to it. > > @{PHP_EXTENSIONS}+=/some/new/path > > The variable gives the option of having rules that reference > PHP_EXTENSIONS with different permissions. I am not sure how > useful that would be atm. > > Another option that can be used on its own or with the variable is > using a directory include, in the php abstraction and then dropping > extensions to the abstraction in that dir. Basically the directory > include will include any file in the directory, so to expand the > abstraction you can just drop in a new file. This can aid packaging, > as different packages can then drop relevant bits into a file owned > by the package. > > When combined with the variable, it can extend the variable and thus > all rules referencing it. Since we are past beta now, for Lucid we should probably try to just make the minimal change required to fix the bug. As such, I think adjusting the abstractions to have: /usr/lib{64,}/php5/*/*.so mr, would be the best approach. I'd prefer to use a regex instead of '/*/' but since the version seems to be rather free-form, this seems best. Opinions? -- Jamie Strandboge | http://www.canonical.com signature.asc Description: This is a digitally signed message part -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: issue with php5 abstraction in apparmor
I am pasting bellow an answer from John Johansen whom is not subscribed to this list. On 03/14/2010 11:36 AM, DULMANDAKH Sukhbaatar wrote: > As new Ubuntu LTS version is approaching I started to think about > > migrating my servers to it. To make future migrations smooth I started > > playing with Lucid and testing it. As a part of it I'm creating > > apparmor profile for php5-cgi. I found apparmor abstraction for php5 > > useful, but found two problems in it. First was just easy so I fixed > > and filed a bug (#538661 )with patch. And last and bigger is path to > > php5 extensions. thanks > > > > php5's abstraction is allowing php5 to load its extensions from > > /usr/lib{64,}/php5/{libexec,extensions}/, but php5-* packages in > > ubuntu install extensions in /usr/lib/php5/PHP_API_VERSION or > > /usr/lib/php5/20090626+lfs in Lucid. so php5 cannot load extensions, > > > > I was thinking about solutions to it and found three of them. First, > > let's change abstraction so php5 can load extenstions from > > /usr/lib/php5/**. Secone one is just change path in php5 abstraction > > file to include PHP_API_VERSION, and make such change in every > > release. Last one is change php5 packaging so it'll install extension > > in fixed directory. > > fourth: use a variable to describe extension locations - basically the same your second solution, except the change is centralized to a variable. @{PHP_EXTENSIONS}=/usr/lib{64,}/php5/{libexec,extensions}/ /usr/lib{64,}/PHP_API_VERSION I know this is already basically centralized in the include but the variable would allow it to be used separate from the include too. It also allows easy extension of the abstractions by just assigning a new value to it. @{PHP_EXTENSIONS}+=/some/new/path The variable gives the option of having rules that reference PHP_EXTENSIONS with different permissions. I am not sure how useful that would be atm. Another option that can be used on its own or with the variable is using a directory include, in the php abstraction and then dropping extensions to the abstraction in that dir. Basically the directory include will include any file in the directory, so to expand the abstraction you can just drop in a new file. This can aid packaging, as different packages can then drop relevant bits into a file owned by the package. When combined with the variable, it can extend the variable and thus all rules referencing it. signature.asc Description: OpenPGP digital signature -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
issue with php5 abstraction in apparmor
Hello, As new Ubuntu LTS version is approaching I started to think about migrating my servers to it. To make future migrations smooth I started playing with Lucid and testing it. As a part of it I'm creating apparmor profile for php5-cgi. I found apparmor abstraction for php5 useful, but found two problems in it. First was just easy so I fixed and filed a bug (#538661 )with patch. And last and bigger is path to php5 extensions. php5's abstraction is allowing php5 to load its extensions from /usr/lib{64,}/php5/{libexec,extensions}/, but php5-* packages in ubuntu install extensions in /usr/lib/php5/PHP_API_VERSION or /usr/lib/php5/20090626+lfs in Lucid. so php5 cannot load extensions, I was thinking about solutions to it and found three of them. First, let's change abstraction so php5 can load extenstions from /usr/lib/php5/**. Secone one is just change path in php5 abstraction file to include PHP_API_VERSION, and make such change in every release. Last one is change php5 packaging so it'll install extension in fixed directory. I thought it would appropriate to discuss it here and find unified solution for Ubuntu. -- Regards Dulmandakh http://www.dulmandakh.com http://www.twitter.com/dulmandakh/ -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam