Join Log in
Score:0
avatar Ubuntu

Apparmor PHP8.1 requests rw access to "/"

US flag
user1148214

I'm writing an apparmor profile for php (specifically 8.1), and I'm having some trouble with my particular config of php (this is for a webserver running dokuwiki).

I've gotten all the functionality whitelisted, but the one last bit is php wanting rw access to "/". Obviously this isn't good behavior, and I am unsure why it needs this? I didn't write any of the php scripts used by dokuwiki, so is this a problem with their php code or something I can fix with configs?

Apr 02 11:52:31 wiki audit[203102]: AVC apparmor="DENIED" operation="file_mmap" profile="/usr/sbin/php-fpm8.1" name="/" pid=203102 comm="php-fpm8.1" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
Apr 02 11:52:31 wiki kernel: audit: type=1400 audit(1680450751.151:3038): apparmor="DENIED" operation="file_mmap" profile="/usr/sbin/php-fpm8.1" name="/" pid=203102 comm="php-fpm8.1" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0

My profile:

include <tunables/global>

/usr/sbin/php-fpm8.1 flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/nameservice>
  include <abstractions/openssl>
  include <abstractions/php>
  include <abstractions/user-tmp>

  capability net_admin,
  capability dac_override,
  capability kill,
  capability chown,
  capability setgid,
  capability setuid,

  /usr/sbin/php-fpm8.1 mr,
  owner /proc/sys/kernel/random/boot_id r,
  owner /run/systemd/userdb/ r,
  owner /var/log/php* w,

  # Data Directory
  owner /var/www/dokuwiki/** rw,
}

php abstraction:

  # shared snippets for config files
  /etc/php/{7??,8??}/** r,

  # Xlibs
  /usr/X11R6/lib{,32,64}/lib*.so* mr,
  # php extensions
  /usr/lib{64,}/php{,7*,8*}/*/*.so mr,

  # ICU (unicode support) data tables
  /usr/share/icu/*/*.dat r,

  # php sock and pid files
  /run/php/** rw,

  # php session mmap socket
  /var/lib/php{,7*,8*}/session_mm_* rwlk,
  # file based session handler
  /var/lib/php{,7*,8*}/sess_* rwlk,
  /var/lib/php{,7*,8*}/sessions/* rwlk,

  # php libraries
  /usr/share/php{,7*,8*}/ r,
  /usr/share/php{,7*,8*}/** mr,

  # MySQL extension
  /usr/share/mysql/** r,

  # Zend opcache
  /tmp/.ZendSem.* rwlk,

Side note: I can set this option: owner / rw, and that satisfies php. But still makes me uncomfortable, is there anyway to give this access safely, or is owner just as bad?

107
0 + 3
php
in flag
matigo
No PHP anything should need access to `/` for any reason. You may want to ask the people who made Dokuwiki whether this is a bug on their end, where the *application root* is being confused with actual root
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.