AppArmor configuration for nginx and php-fpm
AppArmor is the default MAC module on Ubuntu. Unlike DAC in Un*x, an AppArmor config lists what a process can access. An enforced process can only access listed paths; a complaining process emits warnings when accessing unlisted files.
However, there is no default config for nginx and php-fpm.
To prevent the webserver from being hacked, causing systemic infection, let’s
write configs on our own! The useful tool aa-genprof gets most of the jobs
done, but some paths, especially sockets, are still missing. Therefore, I
publish my settings as a reference.
- Document roots are at /srv/www/*/.
- I prefer Unix domain sockets to [TCP sockets].
The following is my config for nginx.
#include <tunables/global>
/usr/sbin/nginx {
#include <abstractions/apache2-common>
#include <abstractions/base>
#include <abstractions/nis>
capability dac_override,
capability net_bind_service,
capability setgid,
capability setuid,
/etc/nginx/** r,
/etc/ssl/openssl.cnf r,
/proc/*/auxv r,
/run/nginx.pid rw,
/run/nginx.pid.oldbin w,
/run/php5-fpm.sock rw,
/srv/www/** r,
/usr/sbin/nginx mr,
/var/log/nginx/* w,
}
The following is my config for php-fpm.
#include <tunables/global>
/usr/sbin/php5-fpm {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/php5>
capability kill,
capability setgid,
capability setuid,
/etc/php5/** r,
/proc/*/auxv r,
/proc/sys/kernel/ngroups_max r,
/run/mysqld/mysqld.sock rw,
/run/php5-fpm.pid rw,
/run/php5-fpm.sock w,
/srv/www/** r,
/srv/www/html/wp-content/** rw,
/srv/www/html/wp-content/cache/** rwk,
/srv/www/magento/media/** rw,
/srv/www/magento/var/** rwk,
/tmp/ r,
/tmp/** rwk,
/usr/sbin/php5-fpm mrix,
/var/log/php5-fpm.log* w,
}