Taipei Forcing Club

Computer science and contract bridge

Category: Linux

AppArmor configuration for nginx and php-fpm

AppArmor is the default MAC module on Ubuntu. Unlike DAC in Un*x, an AppArmor config lists what a process can access. An enforced process can only access listed paths; a complaining process emits warnings when accessing unlisted files.

However, there is no default config for nginx and php-fpm. To prevent the webserver from being hacked, causing systemic infection, let’s write configs on our own! The useful tool aa-genprof gets most of the jobs done, but some paths, especially sockets, are still missing. Therefore, I publish my settings as a reference.

The following is my config for nginx.

#include <tunables/global>

/usr/sbin/nginx {
	#include <abstractions/apache2-common>
	#include <abstractions/base>
	#include <abstractions/nis>

	capability dac_override,
	capability net_bind_service,
	capability setgid,
	capability setuid,

	/etc/nginx/** r,
	/etc/ssl/openssl.cnf r,
	/proc/*/auxv r,
	/run/nginx.pid rw,
	/run/nginx.pid.oldbin w,
	/run/php5-fpm.sock rw,
	/srv/www/** r,
	/usr/sbin/nginx mr,
	/var/log/nginx/* w,
}

The following is my config for php-fpm.

#include <tunables/global>

/usr/sbin/php5-fpm {
	#include <abstractions/base>
	#include <abstractions/nameservice>
	#include <abstractions/php5>

	capability kill,
	capability setgid,
	capability setuid,

	/etc/php5/** r,
	/proc/*/auxv r,
	/proc/sys/kernel/ngroups_max r,
	/run/mysqld/mysqld.sock rw,
	/run/php5-fpm.pid rw,
	/run/php5-fpm.sock w,
	/srv/www/** r,
	/srv/www/html/wp-content/** rw,
	/srv/www/html/wp-content/cache/** rwk,
	/srv/www/magento/media/** rw,
	/srv/www/magento/var/** rwk,
	/tmp/ r,
	/tmp/** rwk,
	/usr/sbin/php5-fpm mrix,
	/var/log/php5-fpm.log* w,
}