Missing rules in php5 abstraction

Bug #1401084 reported by Jacek Nykis
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
Medium
Unassigned
Nominated for Trusty by Steve Beattie

Bug Description

[impact]

This bug prevents the proper functioning of apache mod_php with
mod_apparmor.

[steps to reproduce]

1) setuo apache and mod_php, verify php scripts are working
2) stop apache2
3) install mod_apparmor
4) restart apache2
5) with fix applied, apache should not generate rejections for /tmp/.ZendSem.*
for php scripts confined by mod_apparmor

[regression potential]

The change to the php abstraction in the patch for this bug is a
slight loosening of the apparmor policy. The risk of an introduced
regression is small.

[original description]

I am using apache mod_apparmor with a wordpress blog. In my rules I have:
#include <abstractions/php5>

But this did not allow all access that was needed:
apparmor="DENIED" operation="file_lock" profile="/usr/sbin/apache2//myvhost.example.com" name="/tmp/.ZendSem.Y5Ghmr" pid=21874 comm="apache2" requested_mask="k" denied_mask="k" fsuid=33 ouid=0
apparmor="DENIED" operation="file_lock" profile="/usr/sbin/apache2//myvhost.example.com" name="/tmp/.ZendSem.Y5Ghmr" pid=21874 comm="apache2" requested_mask="wk" denied_mask="wk" fsuid=33 ouid=0

This access seems to be needed by opcache module, I found some info about it here:
https://lists.ubuntu.com/archives/apparmor/2014-June/005879.html

Ubuntu 14.04.1
apparmor 2.8.95~2430-0ubuntu5.1

Revision history for this message
Christian Boltz (cboltz) wrote :

For the records: this is fixed in upstream bzr (trunk and 2.9 branch) since 2014-06-24.

Steve Beattie (sbeattie)
Changed in apparmor (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
Steve Beattie (sbeattie) wrote :

Here's a patch to fix this for trusty.

description: updated
Revision history for this message
Steve Beattie (sbeattie) wrote :

This was fixed in utopic in apparmor 2.8.98-0ubuntu2.

Changed in apparmor (Ubuntu):
status: Triaged → Fix Released
Revision history for this message
Steve Beattie (sbeattie) wrote :

I have reproduced the issue with apparmor 2.8.95~2430-0ubuntu5.1 from trusty-updates, and can confirm that the version of apparmor in trusty-proposed, 2.8.95~2430-0ubuntu5.2, fixes the issue with the Zend semaphore file accesses for php scripts. Marking verification-done.

tags: added: verification-done
Revision history for this message
Adam Conrad (adconrad) wrote : Update Released

The verification of the Stable Release Update for apparmor has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.