sapi/fpm/config.m4: add a new --with-fpm-apparmor configure flag.

orlitzky · bukka · commit 40cdc5f29800 · 2020-06-21T17:08:40.000+01:00
The existing AC_FPM_APPARMOR macro (which is always run when FPM is enabled) checks for the existence of libapparmor, and adds it to $LIBS if found. The result is an "automagic" dependency on libapparmor that depends not only on the user's configuration, but also on the build host's environment. In particular, this can cause problems if the user just happens to have libapparmor installed (for testing or development) when he builds PHP. Later, he may remove libapparmor, not realizing that PHP depends on it. At that point, FPM will cease to work due to the missing library. This commit adds a new configure flag called "--with-fpm-apparmor", defaulting to "no", that enables or disables the feature. The new flag is used to signal the user's intent; whether or not he wants to use AppArmor. If he does, then we still check for the existence and usability of libapparmor; however, it is now an error for the library to be missing when --with-fpm-apparmor is requested. Gentoo-bug: https://bugs.gentoo.org/637402 PHP-bug: https://bugs.php.net/bug.php?id=75519
diff --git a/sapi/fpm/config.m4 b/sapi/fpm/config.m4
@@ -488,22 +488,6 @@ AC_DEFUN([AC_FPM_SELECT],
 	])
 ])
 
-AC_DEFUN([AC_FPM_APPARMOR],
-[
-	AC_MSG_CHECKING([for apparmor])
-
-	SAVED_LIBS="$LIBS"
-	LIBS="$LIBS -lapparmor"
-
-	AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <sys/apparmor.h>]], [[change_hat("test", 0);]])], [
-		AC_DEFINE([HAVE_APPARMOR], 1, [do we have apparmor support?])
-		AC_MSG_RESULT([yes])
-	], [
-		LIBS="$SAVED_LIBS"
-		AC_MSG_RESULT([no])
-	])
-])
-
 AC_MSG_CHECKING(for FPM build)
 if test "$PHP_FPM" != "no"; then
   AC_MSG_RESULT($PHP_FPM)
@@ -521,7 +505,6 @@ if test "$PHP_FPM" != "no"; then
   AC_FPM_DEVPOLL
   AC_FPM_EPOLL
   AC_FPM_SELECT
-  AC_FPM_APPARMOR
 
   PHP_ARG_WITH([fpm-user],,
     [AS_HELP_STRING([[--with-fpm-user[=USER]]],
@@ -548,6 +531,12 @@ if test "$PHP_FPM" != "no"; then
     [no],
     [no])
 
+  PHP_ARG_WITH([fpm-apparmor],,
+    [AS_HELP_STRING([--with-fpm-apparmor],
+      [Support AppArmor confinement through libapparmor])],
+    [no],
+    [no])
+
   if test "$PHP_FPM_SYSTEMD" != "no" ; then
     PKG_CHECK_MODULES([SYSTEMD], [libsystemd >= 209])
 
@@ -580,6 +569,16 @@ if test "$PHP_FPM" != "no"; then
     ])
   fi
 
+  if test "x$PHP_FPM_APPARMOR" != "xno" ; then
+    AC_CHECK_HEADERS([sys/apparmor.h])
+    AC_CHECK_LIB(apparmor, change_hat, [
+      PHP_ADD_LIBRARY(apparmor)
+      AC_DEFINE(HAVE_APPARMOR, 1, [ AppArmor confinement available ])
+    ],[
+      AC_MSG_ERROR(libapparmor required but not found)
+    ])
+  fi
+
   PHP_SUBST_OLD(php_fpm_systemd)
   AC_DEFINE_UNQUOTED(PHP_FPM_SYSTEMD, "$php_fpm_systemd", [fpm systemd service type])
 
