aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStefan Bühler <stbuehler@web.de>2014-06-05 11:14:12 +0000
committerStefan Bühler <stbuehler@web.de>2014-06-05 11:14:12 +0000
commit228420c2a447daacb730f92f38a375b186e0d103 (patch)
treee2e059f74dae30be424abc425c049448792b4b36
parent2ee3dd6d1c1672f84731d29aa252c55b574820da (diff)
downloadspawn-fcgi-228420c2a447daacb730f92f38a375b186e0d103.tar.gz
spawn-fcgi-228420c2a447daacb730f92f38a375b186e0d103.zip
Add workaround for AppArmor bug with relocated binaries
From: Stefan Bühler <stbuehler@web.de> git-svn-id: svn://svn.lighttpd.net/spawn-fcgi/trunk@72 4a9f3682-ca7b-49a8-9a55-ba4640e46f83
-rw-r--r--doc/apparmor.d-abstractions-spawn-fcgi7
1 files changed, 7 insertions, 0 deletions
diff --git a/doc/apparmor.d-abstractions-spawn-fcgi b/doc/apparmor.d-abstractions-spawn-fcgi
index eda3594..3011426 100644
--- a/doc/apparmor.d-abstractions-spawn-fcgi
+++ b/doc/apparmor.d-abstractions-spawn-fcgi
@@ -41,4 +41,11 @@ network inet6 stream,
network inet dgram,
network inet6 dgram,
+# if the binary is compiled with hardening options it might try to make a
+# previously writable mmapped area readonly (RELRO, mprotect PROT_READ), which
+# requires additional permissions in AppArmor.
+# more permissions -> more secure, obviously.
+# again match standard location + debian alternatives:
+/usr/bin/spawn-fcgi* r,
+
/{,var/}run/*.sock rw,