45 lines
1.2 KiB
Plaintext
45 lines
1.2 KiB
Plaintext
# vim:syntax=apparmor
|
|
|
|
# NOTE: This profile uses TCP sockets by default
|
|
# If you wish for php-fpm to listen to unix socket,
|
|
# add the following permission to local/usr.bin.php-fpm
|
|
# /path/to/your/unix/socket w,
|
|
|
|
#include <tunables/global>
|
|
|
|
# This is PHP open_basedir where script can only be executed from.
|
|
# /home, /tmp have been removed to not open permissions too widely
|
|
# /usr/share/pear have been removed to have its own permission
|
|
@{PHP_BASEDIRS} = /srv/www/ /var/www/ /usr/share/webapps/
|
|
|
|
/usr/bin/php-fpm {
|
|
#include <abstractions/base>
|
|
#include <abstractions/nameservice>
|
|
#include <abstractions/openssl>
|
|
#include <abstractions/php>
|
|
|
|
capability setgid,
|
|
capability setuid,
|
|
capability kill,
|
|
|
|
/etc/php/php-fpm.conf r,
|
|
/etc/php/php-fpm.d/* r,
|
|
|
|
# This is set to make php-fpm work by default, but if you don't use these paths
|
|
# add "deny @{PHP_BASEDIRS}/** r," to local.usr.bin.php-fpm and add read rights
|
|
# to where your PHP app is located
|
|
@{PHP_BASEDIRS}/** r,
|
|
|
|
/usr/bin/php-fpm mr,
|
|
|
|
/usr/share/pear/** r,
|
|
/usr/share/php/fpm/status.html r,
|
|
|
|
/var/log/php-fpm.log w,
|
|
|
|
# Site-specific additions and overrides. See local/README for details.
|
|
#include <local/usr.bin.php-fpm>
|
|
|
|
}
|
|
|