void-packages/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm

45 lines
1.2 KiB
Plaintext

# vim:syntax=apparmor
# NOTE: This profile uses TCP sockets by default
# If you wish for php-fpm to listen to unix socket,
# add the following permission to local/usr.bin.php-fpm
# /path/to/your/unix/socket w,
#include <tunables/global>
# This is PHP open_basedir where script can only be executed from.
# /home, /tmp have been removed to not open permissions too widely
# /usr/share/pear have been removed to have its own permission
@{PHP_BASEDIRS} = /srv/www/ /var/www/ /usr/share/webapps/
/usr/bin/php-fpm {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/openssl>
#include <abstractions/php>
capability setgid,
capability setuid,
capability kill,
/etc/php/php-fpm.conf r,
/etc/php/php-fpm.d/* r,
# This is set to make php-fpm work by default, but if you don't use these paths
# add "deny @{PHP_BASEDIRS}/** r," to local.usr.bin.php-fpm and add read rights
# to where your PHP app is located
@{PHP_BASEDIRS}/** r,
/usr/bin/php-fpm mr,
/usr/share/pear/** r,
/usr/share/php/fpm/status.html r,
/var/log/php-fpm.log w,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.bin.php-fpm>
}