Missing rules in php5 abstraction

Bug #1401084 reported by Jacek Nykis on 2014-12-10
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Medium
Unassigned
Nominated for Trusty by Steve Beattie

Bug Description

[impact]

This bug prevents the proper functioning of apache mod_php with
mod_apparmor.

[steps to reproduce]

1) setuo apache and mod_php, verify php scripts are working
2) stop apache2
3) install mod_apparmor
4) restart apache2
5) with fix applied, apache should not generate rejections for /tmp/.ZendSem.*
for php scripts confined by mod_apparmor

[regression potential]

The change to the php abstraction in the patch for this bug is a
slight loosening of the apparmor policy. The risk of an introduced
regression is small.

[original description]

I am using apache mod_apparmor with a wordpress blog. In my rules I have:
#include <abstractions/php5>

But this did not allow all access that was needed:
apparmor="DENIED" operation="file_lock" profile="/usr/sbin/apache2//myvhost.example.com" name="/tmp/.ZendSem.Y5Ghmr" pid=21874 comm="apache2" requested_mask="k" denied_mask="k" fsuid=33 ouid=0
apparmor="DENIED" operation="file_lock" profile="/usr/sbin/apache2//myvhost.example.com" name="/tmp/.ZendSem.Y5Ghmr" pid=21874 comm="apache2" requested_mask="wk" denied_mask="wk" fsuid=33 ouid=0

This access seems to be needed by opcache module, I found some info about it here:
https://lists.ubuntu.com/archives/apparmor/2014-June/005879.html

Ubuntu 14.04.1
apparmor 2.8.95~2430-0ubuntu5.1

Christian Boltz (cboltz) wrote :

For the records: this is fixed in upstream bzr (trunk and 2.9 branch) since 2014-06-24.

Steve Beattie (sbeattie) on 2015-04-07
Changed in apparmor (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Steve Beattie (sbeattie) wrote :

Here's a patch to fix this for trusty.

description: updated
Steve Beattie (sbeattie) wrote :

This was fixed in utopic in apparmor 2.8.98-0ubuntu2.

Changed in apparmor (Ubuntu):
status: Triaged → Fix Released
Steve Beattie (sbeattie) wrote :

I have reproduced the issue with apparmor 2.8.95~2430-0ubuntu5.1 from trusty-updates, and can confirm that the version of apparmor in trusty-proposed, 2.8.95~2430-0ubuntu5.2, fixes the issue with the Zend semaphore file accesses for php scripts. Marking verification-done.

tags: added: verification-done

The verification of the Stable Release Update for apparmor has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers