Allow reading all of /etc/php[578]/** in abstractions/php

... and with that, make a rule in the php-fpm profile (which missed php8) superfluous. Fixes: https://gitlab.com/apparmor/apparmor/-/issues/229 Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1186267#c11
2025-08-30 22:05:27 +00:00 · 2022-04-18 20:49:22 +02:00
parent 69302067b0
commit c946f0bf75
2 changed files with 1 additions and 4 deletions
--- a/profiles/apparmor.d/abstractions/php
+++ b/profiles/apparmor.d/abstractions/php
@@ -13,8 +13,7 @@
  abi <abi/3.0>,

  # shared snippets for config files
-  /etc/php{,5,7,8}/**/ r,
-  /etc/php{,5,7,8}/**.ini r,
+  /etc/php{,5,7,8}/** r,

  # Xlibs
  /usr/X11R6/lib{,32,64}/lib*.so* mr,
--- a/profiles/apparmor.d/php-fpm
+++ b/profiles/apparmor.d/php-fpm
@@ -16,8 +16,6 @@ profile php-fpm /usr/sbin/php-fpm* flags=(attach_disconnected) {
  # read the system certificates
  include <abstractions/ssl_certs>

-  /etc/php{,5,7}/** r,
-
  capability net_admin,
  # change user/group of a pool
  capability setuid,