[apparmor] PHP abstraction and PHP 7

[Christian Boltz]

Hello,

with PHP 7, we'll need to update our PHP abstraction because the paths 
changed from .../php5/... to .../php7/...

Now the interesting questions are:
- should php7 get its own abstraction, or should we modify the existing 
  one?
- if 'modify', who will explain our users that abstractions/php5 is 
  needed for php7? ;-)

Opinions?

I tend to prefer one abstraction for all PHP versions, but the existing 
abstractions/php5 isn't the best filename for that ;-)


Another detail I just noticed is that it might be possible to split the 
PHP permissions for
a) apache hats - it looks like access for the session  storage might be 
   enough (no need for the *.so or /etc/php7/ [1])
b) the apache main process (which needs all of the PHP abstraction)

Personally, I'm using separate directories for sessions in each vhost, 
so a "php-session" abstraction won't be too useful for me. For people 
using /var/lib/php[57]/ for all vhost's sessions, it might still be a 
good idea (and could prevent allowing all of abstractions/php5 in the 
vhost hats).


Regards,

Christian Boltz

[1] that's also true for PHP5 - the apache vhost hats only need to read
    and write the session storage (/var/lib/php5/sess_*)
-- 
...Schweißausbruch, die Cracks fangen an zu antworten ;-)
[Michael Hablitzel zu David Haller in suse-linux]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160928/02d9d4ff/attachment.pgp>