Accepting request 999414 from security:apparmor

- add profiles-permit-php-fpm-pid-files-directly-under-run.patch https://gitlab.com/apparmor/apparmor/-/merge_requests/914 (bsc#1202344) (forwarded request 999408 from dmdiss) OBS-URL: https://build.opensuse.org/request/show/999414 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=180
2022-08-27 09:48:21 +00:00 · 2022-08-27 09:48:21 +00:00 · fbddff842d
commit fbddff842d
parent 9659838e55 65d1693eee
3 changed files with 49 additions and 0 deletions
--- a/apparmor.changes
+++ b/apparmor.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Fri Aug 26 11:37:21 UTC 2022 - David Disseldorp <ddiss@suse.com>
+
+- add profiles-permit-php-fpm-pid-files-directly-under-run.patch
+  https://gitlab.com/apparmor/apparmor/-/merge_requests/914 (bsc#1202344)
+
 -------------------------------------------------------------------
 Mon Aug  8 18:51:26 UTC 2022 - Christian Boltz <suse-beta@cboltz.de>

--- a/apparmor.spec
+++ b/apparmor.spec
@ -86,6 +86,9 @@ Patch9:         zgrep-profile-mr870.diff
 # add missing r permissions for dnsmasc//libvirt-leaseshelper (submitted upstream 2022-08-08 https://gitlab.com/apparmor/apparmor/-/merge_requests/905)
 Patch10:        dnsmasq.diff

+# permit php-fpm pid files under run (merged upstream 2022-08-26 https://gitlab.com/apparmor/apparmor/-/merge_requests/914)
+Patch11:        profiles-permit-php-fpm-pid-files-directly-under-run.patch
+
 PreReq:         sed
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %define apparmor_bin_prefix %{?usrmerged:/usr}/lib/apparmor
@ -353,6 +356,7 @@ mv -v profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 profiles/apparmor/
 %patch6
 %patch9 -p1
 %patch10 -p1
+%patch11 -p1

 %build
 export SUSE_ASNEEDED=0
--- a/profiles-permit-php-fpm-pid-files-directly-under-run.patch
+++ b/profiles-permit-php-fpm-pid-files-directly-under-run.patch
@ -0,0 +1,39 @@
+From d8533ec851ccf188b17136fdab67d0481cae357d Mon Sep 17 00:00:00 2001
+From: David Disseldorp <ddiss@suse.de>
+Date: Thu, 25 Aug 2022 23:44:16 +0200
+Subject: [PATCH] profiles: permit php-fpm pid files directly under run/
+
+The upstream php-fpm.conf file carries the following pid file example
+path:
+  [global]
+  ; Pid file
+  ; Note: the default prefix is @EXPANDED_LOCALSTATEDIR@
+  ; Default Value: none
+  ;pid = run/php-fpm.pid
+
+Add this path to profiles/apparmor.d/php-fpm, alongside the current
+nested "@{run}/php{,-fpm}/php*-fpm.pid" wildcard.
+
+Fixes: https://gitlab.com/apparmor/apparmor/-/issues/267
+
+Suggested-by: Ali Abdallah <ali.abdallah@suse.com>
+Signed-off-by: David Disseldorp <ddiss@suse.de>
+---
+ profiles/apparmor.d/php-fpm | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/profiles/apparmor.d/php-fpm b/profiles/apparmor.d/php-fpm
+index 14b3c719..0dcc8c7d 100644
+--- a/profiles/apparmor.d/php-fpm
+++ b/profiles/apparmor.d/php-fpm
+@@ -35,6 +35,7 @@ profile php-fpm /usr/sbin/php-fpm* flags=(attach_disconnected) {
+ 
+   # we need to be able to create all sockets
+   @{run}/php{,-fpm}/php*-fpm.pid rw,
+  @{run}/php*-fpm.pid rw,
+   @{run}/php{,-fpm}/php*-fpm.sock rwlk,
+ 
+   # to reload
+-- 
+2.35.3
+