summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--.gitignore8
-rw-r--r--Makefile4
-rw-r--r--PHPINFO4
-rw-r--r--REFLECTION31
-rw-r--r--php-pecl-sandbox.spec193
5 files changed, 240 insertions, 0 deletions
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..fc9aa8c
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,8 @@
+clog
+package-*.xml
+*.tgz
+*.tar.gz
+*.tar.xz
+*.tar.xz.asc
+*.src.rpm
+*/*rpm
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..13af741
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,4 @@
+SRCDIR := $(shell pwd)
+NAME := $(shell basename $(SRCDIR))
+include ../../../common/Makefile
+
diff --git a/PHPINFO b/PHPINFO
new file mode 100644
index 0000000..3f8a10a
--- /dev/null
+++ b/PHPINFO
@@ -0,0 +1,4 @@
+
+sandbox
+
+sandbox support => enabled
diff --git a/REFLECTION b/REFLECTION
new file mode 100644
index 0000000..dd06604
--- /dev/null
+++ b/REFLECTION
@@ -0,0 +1,31 @@
+Extension [ <persistent> extension #141 sandbox version 0.1.1 ] {
+
+ - Classes [1] {
+ Class [ <internal:sandbox> class sandbox\Runtime ] {
+
+ - Constants [0] {
+ }
+
+ - Static properties [0] {
+ }
+
+ - Static methods [0] {
+ }
+
+ - Properties [0] {
+ }
+
+ - Methods [3] {
+ Method [ <internal:sandbox, ctor> public method __construct ] {
+ }
+
+ Method [ <internal:sandbox> public method enter ] {
+ }
+
+ Method [ <internal:sandbox> public method close ] {
+ }
+ }
+ }
+ }
+}
+
diff --git a/php-pecl-sandbox.spec b/php-pecl-sandbox.spec
new file mode 100644
index 0000000..9e61029
--- /dev/null
+++ b/php-pecl-sandbox.spec
@@ -0,0 +1,193 @@
+# remirepo spec file for php-pecl-sandbox
+#
+# Copyright (c) 2019 Remi Collet
+# License: CC-BY-SA
+# http://creativecommons.org/licenses/by-sa/4.0/
+#
+# Please, preserve the changelog entries
+#
+%{?scl: %scl_package php-pecl-pthreads}
+
+%global pecl_name sandbox
+%global ini_name 40-%{pecl_name}.ini
+
+Summary: Isolated environment
+Name: %{?scl_prefix}php-pecl-%{pecl_name}
+Version: 0.1.1
+Release: 0%{?dist}%{!?scl:%{!?nophptag:%(%{__php} -r 'echo ".".PHP_MAJOR_VERSION.".".PHP_MINOR_VERSION;')}}
+License: PHP
+URL: http://pecl.php.net/package/%{pecl_name}
+Source0: http://pecl.php.net/get/%%{pecl_name}-%{version}.tgz
+
+BuildRequires: %{?scl_prefix}php-zts-devel > 7.1
+BuildRequires: %{?scl_prefix}php-pear
+
+Requires: %{?scl_prefix}php(zend-abi) = %{php_zend_api}
+Requires: %{?scl_prefix}php(api) = %{php_core_api}
+%{?_sclreq:Requires: %{?scl_prefix}runtime%{?_sclreq}%{?_isa}}
+
+Provides: %{?scl_prefix}php-%{pecl_name} = %{version}
+Provides: %{?scl_prefix}php-%{pecl_name}%{?_isa} = %{version}
+Provides: %{?scl_prefix}php-pecl(%{pecl_name}) = %{version}
+Provides: %{?scl_prefix}php-pecl(%{pecl_name})%{?_isa} = %{version}
+Provides: %{?scl_prefix}php-pecl-%{pecl_name} = %{version}-%{release}
+Provides: %{?scl_prefix}php-pecl-%{pecl_name}%{?_isa} = %{version}-%{release}
+
+%if "%{?vendor}" == "Remi Collet" && 0%{!?scl:1} && 0%{?rhel}
+# Other third party repo stuff
+Obsoletes: php71u-pecl-%{pecl_name} <= %{version}
+Obsoletes: php71w-pecl-%{pecl_name} <= %{version}
+%if "%{php_version}" > "7.2"
+Obsoletes: php72u-pecl-%{pecl_name} <= %{version}
+Obsoletes: php72w-pecl-%{pecl_name} <= %{version}
+%endif
+%if "%{php_version}" > "7.3"
+Obsoletes: php73u-pecl-%{pecl_name} <= %{version}
+Obsoletes: php73w-pecl-%{pecl_name} <= %{version}
+%endif
+%endif
+
+%if 0%{?fedora} < 20 && 0%{?rhel} < 7
+# Filter shared private
+%{?filter_provides_in: %filter_provides_in %{_libdir}/.*\.so$}
+%{?filter_setup}
+%endif
+
+
+%description
+A sandbox is an isolated environment (a thread in our case); Things may go very
+badly wrong in the sandbox environment and not effect the environment that
+created it. This means that we must try very hard to limit the influence each
+environment has on the other. So the prototype and instructions of entry point
+"Closures" are verified to ensure they will not reduce or break isolation.
+
+In practice this means entry point closures must not:
+
+* accept or return by reference
+* accept or return non-scalar values (array, object)
+* execute a limited set of instructions
+
+Instructions prohibited directly in the sandbox are:
+
+ * declare (anonymous) function
+ * declare (anonymous) class
+ * lexical scope access
+
+Nothing is prohibited in the files which the sandbox may include, but allowing
+these actions directly in the code which the sandbox executes at entry would
+break the isolation of the sandbox such that we couldn't be sure the system
+would remain stable.
+
+With these restrictions in place, we can be sure that a sandbox may do anything
+up to but excluding making PHP segfault, and not effect the environment that
+created it.
+
+This extension is only available for PHP in ZTS mode.
+
+Package built for PHP %(%{__php} -r 'echo PHP_MAJOR_VERSION.".".PHP_MINOR_VERSION;')%{?scl: as Software Collection (%{scl} by %{?scl_vendor}%{!?scl_vendor:rh})}.
+
+
+%prep
+%setup -q -c
+
+# Don't install/register tests
+sed -e 's/role="test"/role="src"/' \
+ %{?_licensedir:-e '/LICENSE/s/role="doc"/role="src"/' } \
+ -i package.xml
+
+cd %{pecl_name}-%{version}
+
+# Sanity check, really often broken
+extver=$(sed -n '/define PHP_SANDBOX_VERSION/{s/.* "//;s/".*$//;p}' php_sandbox.h)
+if test "x${extver}" != "x%{version}"; then
+ : Error: Upstream extension version is ${extver}, expecting %{version}.
+ exit 1
+fi
+cd ..
+
+# Create configuration file
+cat << 'EOF' | tee %{ini_name}
+; Enable "%{summary}" extension module
+extension=%{pecl_name}.so
+EOF
+
+
+%build
+%{?dtsenable}
+
+cd %{pecl_name}-%{version}
+%{_bindir}/zts-phpize
+%configure \
+ --enable-sandbox \
+ --with-php-config=%{_bindir}/zts-php-config
+make %{?_smp_mflags}
+
+
+%install
+%{?dtsenable}
+
+make -C %{pecl_name}-%{version} install INSTALL_ROOT=%{buildroot}
+
+# install config file
+install -D -m 644 %{ini_name} %{buildroot}%{php_ztsinidir}/%{ini_name}
+
+# Install XML package description
+install -D -m 644 package.xml %{buildroot}%{pecl_xmldir}/%{name}.xml
+
+# Documentation
+cd %{pecl_name}-%{version}
+for i in $(grep 'role="doc"' ../package.xml | sed -e 's/^.*name="//;s/".*$//')
+do sed -e 's/\r//' -i $i
+ install -Dpm 644 $i %{buildroot}%{pecl_docdir}/%{pecl_name}/$i
+done
+
+
+%if 0%{?fedora} < 24 && 0%{?rhel} < 8
+# when pear installed alone, after us
+%triggerin -- %{?scl_prefix}php-pear
+if [ -x %{__pecl} ] ; then
+ %{pecl_install} %{pecl_xmldir}/%{name}.xml >/dev/null || :
+fi
+
+# posttrans as pear can be installed after us
+%posttrans
+if [ -x %{__pecl} ] ; then
+ %{pecl_install} %{pecl_xmldir}/%{name}.xml >/dev/null || :
+fi
+
+%postun
+if [ $1 -eq 0 -a -x %{__pecl} ] ; then
+ %{pecl_uninstall} %{pecl_name} >/dev/null || :
+fi
+%endif
+
+
+%check
+cd %{pecl_name}-%{version}
+
+: Minimal load test for ZTS extension
+%{__ztsphp} --no-php-ini \
+ --define extension=%{buildroot}%{php_ztsextdir}/%{pecl_name}.so \
+ --modules | grep %{pecl_name}
+
+: Upstream test suite for ZTS extension
+TEST_PHP_EXECUTABLE=%{_bindir}/zts-php \
+TEST_PHP_ARGS="-n -d extension=$PWD/modules/%{pecl_name}.so" \
+SKIP_ONLINE_TESTS=1 \
+NO_INTERACTION=1 \
+REPORT_EXIT_STATUS=1 \
+%{_bindir}/zts-php -n run-tests.php --show-diff
+
+
+%files
+%{?_licensedir:%license %{pecl_name}-%{version}/LICENSE}
+%doc %{pecl_docdir}/%{pecl_name}
+%{pecl_xmldir}/%{name}.xml
+
+%config(noreplace) %{php_ztsinidir}/%{ini_name}
+%{php_ztsextdir}/%{pecl_name}.so
+
+
+%changelog
+* Thu Jan 10 2019 Remi Collet <remi@remirepo.Net> - 0.1.1-0
+- initial package, version 0.0.45 (beta), test build