diff options
-rw-r--r-- | .gitignore | 8 | ||||
-rw-r--r-- | Makefile | 4 | ||||
-rw-r--r-- | PHPINFO | 4 | ||||
-rw-r--r-- | REFLECTION | 31 | ||||
-rw-r--r-- | php-pecl-sandbox.spec | 193 |
5 files changed, 240 insertions, 0 deletions
diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..fc9aa8c --- /dev/null +++ b/.gitignore @@ -0,0 +1,8 @@ +clog +package-*.xml +*.tgz +*.tar.gz +*.tar.xz +*.tar.xz.asc +*.src.rpm +*/*rpm diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..13af741 --- /dev/null +++ b/Makefile @@ -0,0 +1,4 @@ +SRCDIR := $(shell pwd) +NAME := $(shell basename $(SRCDIR)) +include ../../../common/Makefile + @@ -0,0 +1,4 @@ + +sandbox + +sandbox support => enabled diff --git a/REFLECTION b/REFLECTION new file mode 100644 index 0000000..dd06604 --- /dev/null +++ b/REFLECTION @@ -0,0 +1,31 @@ +Extension [ <persistent> extension #141 sandbox version 0.1.1 ] { + + - Classes [1] { + Class [ <internal:sandbox> class sandbox\Runtime ] { + + - Constants [0] { + } + + - Static properties [0] { + } + + - Static methods [0] { + } + + - Properties [0] { + } + + - Methods [3] { + Method [ <internal:sandbox, ctor> public method __construct ] { + } + + Method [ <internal:sandbox> public method enter ] { + } + + Method [ <internal:sandbox> public method close ] { + } + } + } + } +} + diff --git a/php-pecl-sandbox.spec b/php-pecl-sandbox.spec new file mode 100644 index 0000000..9e61029 --- /dev/null +++ b/php-pecl-sandbox.spec @@ -0,0 +1,193 @@ +# remirepo spec file for php-pecl-sandbox +# +# Copyright (c) 2019 Remi Collet +# License: CC-BY-SA +# http://creativecommons.org/licenses/by-sa/4.0/ +# +# Please, preserve the changelog entries +# +%{?scl: %scl_package php-pecl-pthreads} + +%global pecl_name sandbox +%global ini_name 40-%{pecl_name}.ini + +Summary: Isolated environment +Name: %{?scl_prefix}php-pecl-%{pecl_name} +Version: 0.1.1 +Release: 0%{?dist}%{!?scl:%{!?nophptag:%(%{__php} -r 'echo ".".PHP_MAJOR_VERSION.".".PHP_MINOR_VERSION;')}} +License: PHP +URL: http://pecl.php.net/package/%{pecl_name} +Source0: http://pecl.php.net/get/%%{pecl_name}-%{version}.tgz + +BuildRequires: %{?scl_prefix}php-zts-devel > 7.1 +BuildRequires: %{?scl_prefix}php-pear + +Requires: %{?scl_prefix}php(zend-abi) = %{php_zend_api} +Requires: %{?scl_prefix}php(api) = %{php_core_api} +%{?_sclreq:Requires: %{?scl_prefix}runtime%{?_sclreq}%{?_isa}} + +Provides: %{?scl_prefix}php-%{pecl_name} = %{version} +Provides: %{?scl_prefix}php-%{pecl_name}%{?_isa} = %{version} +Provides: %{?scl_prefix}php-pecl(%{pecl_name}) = %{version} +Provides: %{?scl_prefix}php-pecl(%{pecl_name})%{?_isa} = %{version} +Provides: %{?scl_prefix}php-pecl-%{pecl_name} = %{version}-%{release} +Provides: %{?scl_prefix}php-pecl-%{pecl_name}%{?_isa} = %{version}-%{release} + +%if "%{?vendor}" == "Remi Collet" && 0%{!?scl:1} && 0%{?rhel} +# Other third party repo stuff +Obsoletes: php71u-pecl-%{pecl_name} <= %{version} +Obsoletes: php71w-pecl-%{pecl_name} <= %{version} +%if "%{php_version}" > "7.2" +Obsoletes: php72u-pecl-%{pecl_name} <= %{version} +Obsoletes: php72w-pecl-%{pecl_name} <= %{version} +%endif +%if "%{php_version}" > "7.3" +Obsoletes: php73u-pecl-%{pecl_name} <= %{version} +Obsoletes: php73w-pecl-%{pecl_name} <= %{version} +%endif +%endif + +%if 0%{?fedora} < 20 && 0%{?rhel} < 7 +# Filter shared private +%{?filter_provides_in: %filter_provides_in %{_libdir}/.*\.so$} +%{?filter_setup} +%endif + + +%description +A sandbox is an isolated environment (a thread in our case); Things may go very +badly wrong in the sandbox environment and not effect the environment that +created it. This means that we must try very hard to limit the influence each +environment has on the other. So the prototype and instructions of entry point +"Closures" are verified to ensure they will not reduce or break isolation. + +In practice this means entry point closures must not: + +* accept or return by reference +* accept or return non-scalar values (array, object) +* execute a limited set of instructions + +Instructions prohibited directly in the sandbox are: + + * declare (anonymous) function + * declare (anonymous) class + * lexical scope access + +Nothing is prohibited in the files which the sandbox may include, but allowing +these actions directly in the code which the sandbox executes at entry would +break the isolation of the sandbox such that we couldn't be sure the system +would remain stable. + +With these restrictions in place, we can be sure that a sandbox may do anything +up to but excluding making PHP segfault, and not effect the environment that +created it. + +This extension is only available for PHP in ZTS mode. + +Package built for PHP %(%{__php} -r 'echo PHP_MAJOR_VERSION.".".PHP_MINOR_VERSION;')%{?scl: as Software Collection (%{scl} by %{?scl_vendor}%{!?scl_vendor:rh})}. + + +%prep +%setup -q -c + +# Don't install/register tests +sed -e 's/role="test"/role="src"/' \ + %{?_licensedir:-e '/LICENSE/s/role="doc"/role="src"/' } \ + -i package.xml + +cd %{pecl_name}-%{version} + +# Sanity check, really often broken +extver=$(sed -n '/define PHP_SANDBOX_VERSION/{s/.* "//;s/".*$//;p}' php_sandbox.h) +if test "x${extver}" != "x%{version}"; then + : Error: Upstream extension version is ${extver}, expecting %{version}. + exit 1 +fi +cd .. + +# Create configuration file +cat << 'EOF' | tee %{ini_name} +; Enable "%{summary}" extension module +extension=%{pecl_name}.so +EOF + + +%build +%{?dtsenable} + +cd %{pecl_name}-%{version} +%{_bindir}/zts-phpize +%configure \ + --enable-sandbox \ + --with-php-config=%{_bindir}/zts-php-config +make %{?_smp_mflags} + + +%install +%{?dtsenable} + +make -C %{pecl_name}-%{version} install INSTALL_ROOT=%{buildroot} + +# install config file +install -D -m 644 %{ini_name} %{buildroot}%{php_ztsinidir}/%{ini_name} + +# Install XML package description +install -D -m 644 package.xml %{buildroot}%{pecl_xmldir}/%{name}.xml + +# Documentation +cd %{pecl_name}-%{version} +for i in $(grep 'role="doc"' ../package.xml | sed -e 's/^.*name="//;s/".*$//') +do sed -e 's/\r//' -i $i + install -Dpm 644 $i %{buildroot}%{pecl_docdir}/%{pecl_name}/$i +done + + +%if 0%{?fedora} < 24 && 0%{?rhel} < 8 +# when pear installed alone, after us +%triggerin -- %{?scl_prefix}php-pear +if [ -x %{__pecl} ] ; then + %{pecl_install} %{pecl_xmldir}/%{name}.xml >/dev/null || : +fi + +# posttrans as pear can be installed after us +%posttrans +if [ -x %{__pecl} ] ; then + %{pecl_install} %{pecl_xmldir}/%{name}.xml >/dev/null || : +fi + +%postun +if [ $1 -eq 0 -a -x %{__pecl} ] ; then + %{pecl_uninstall} %{pecl_name} >/dev/null || : +fi +%endif + + +%check +cd %{pecl_name}-%{version} + +: Minimal load test for ZTS extension +%{__ztsphp} --no-php-ini \ + --define extension=%{buildroot}%{php_ztsextdir}/%{pecl_name}.so \ + --modules | grep %{pecl_name} + +: Upstream test suite for ZTS extension +TEST_PHP_EXECUTABLE=%{_bindir}/zts-php \ +TEST_PHP_ARGS="-n -d extension=$PWD/modules/%{pecl_name}.so" \ +SKIP_ONLINE_TESTS=1 \ +NO_INTERACTION=1 \ +REPORT_EXIT_STATUS=1 \ +%{_bindir}/zts-php -n run-tests.php --show-diff + + +%files +%{?_licensedir:%license %{pecl_name}-%{version}/LICENSE} +%doc %{pecl_docdir}/%{pecl_name} +%{pecl_xmldir}/%{name}.xml + +%config(noreplace) %{php_ztsinidir}/%{ini_name} +%{php_ztsextdir}/%{pecl_name}.so + + +%changelog +* Thu Jan 10 2019 Remi Collet <remi@remirepo.Net> - 0.1.1-0 +- initial package, version 0.0.45 (beta), test build |