unread
Hi!
The basic idea behind this is to get a better seperation of different php
pools (so e.g. php scripts from one pool can't access the other and vice
versa).
I did a small patch (https://github.com/php/php-src/pull/343) that adds a
configuration parameter to pools (apparmor_hat). If this is set, workers of
the pool try to change the apparmor hat to the specified value.
The patch only touches fpm. Only thing that's needed is libapparmor - if it
is not there the functionality just gets left out.
To keep things simple this version is very coarse - meaning it is not
possible to change the hat back, or change to a different hat according to
the executed script.
Any thoughts on this?