Php-fpm whitelist need 2 files

Following this merge request and related bug https://bugzilla.opensuse.org/show_bug.cgi?id=1186267 !755 (merged)

The edited file is not the only one needed for the fix, it should also be this line

https://gitlab.com/apparmor/apparmor/-/blob/master/profiles/apparmor.d/php-fpm#L19

Which should became

/etc/php{,5,7}/** r,

We also need to whitelist where the actual php file are stored... Something like

  # htdocs
  /srv/www/** rwlk,

But I understand not everyone will store the file there, and I think a better mechanism to tell the user to whitelist such folder could be needed ?

(tested now on my machine and is now working)

Another one is for the session save path, the default one is session.save_path = "/tmp"

Which is failing as the configured one is supposed to be (in apparmor)

  # php session mmap socket
  /var/lib/php{,5,7,8}/session_mm_* rwlk,
  # file based session handler
  /var/lib/php{,5,7,8}/sess_* rwlk,
  /var/lib/php{,5,7,8}/sessions/* rwlk,

I do think that having already a sandboxed /tmp (due to the systemd launch file) should be ok to leave /tmp writable... But I understand also this can be a very weak point to, so maybe I will just counter report to suse bugzilla to change the default session path...

As a side note, I think it should be just put in

https://gitlab.com/apparmor/apparmor/-/blob/master/profiles/apparmor.d/abstractions/php

Instead of

  /etc/php{,5,7,8}/**/ r,
  /etc/php{,5,7,8}/**.ini r,
Also
  /etc/php{,5,7,8}/**.conf r,

And erase in the one above apparmor.d/php-fpm ?

As a side note apparmor must be active to be reloaded... But if is stopped why is blocking the access ??? )

Edited Apr 18, 2022 by Roy Bellingan