From 0e40a793f2452276bf18ed70d6206898d620c13f Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Fri, 25 Oct 2019 12:07:15 +0200
Subject: add SELinux example (wip)

---
 README              |  2 +-
 preload-selinux.h   | 11 +++++++++++
 preload-selinux.inc | 45 +++++++++++++++++++++++++++++++++++++++++++++
 selinux.php         | 28 ++++++++++++++++++++++++++++
 4 files changed, 85 insertions(+), 1 deletion(-)
 create mode 100644 preload-selinux.h
 create mode 100644 preload-selinux.inc
 create mode 100644 selinux.php

diff --git a/README b/README
index 4deff80..5b7a7d1 100644
--- a/README
+++ b/README
@@ -38,7 +38,7 @@ http://creativecommons.org/licenses/by-sa/4.0/
 
 
 
-Needed copnfiguration:
+Needed configuration:
 
 	opcache.enable=1
 	opcache.enable_cli=1
diff --git a/preload-selinux.h b/preload-selinux.h
new file mode 100644
index 0000000..5d24b3f
--- /dev/null
+++ b/preload-selinux.h
@@ -0,0 +1,11 @@
+#define FFI_SCOPE "_REMI_SELINUX_"
+#define FFI_LIB   "libselinux.so.1"
+
+/* Copy/paste from selinux/*.h */
+
+/* Return 1 if we are running on a SELinux kernel, or 0 if not or -1 if we get an error. */
+extern int is_selinux_enabled(void);
+
+/* Get the enforce flag value. */
+extern int security_getenforce(void);
+
diff --git a/preload-selinux.inc b/preload-selinux.inc
new file mode 100644
index 0000000..cc09581
--- /dev/null
+++ b/preload-selinux.inc
@@ -0,0 +1,45 @@
+<?php
+/** 
+ * ZSTD compressor using FFI and libselinux
+ * PoC, only for documentation purpose
+ *
+ * Copyright (c) 2019 Remi Collet
+ * License: CC-BY-SA
+ * http://creativecommons.org/licenses/by-sa/4.0/
+ */
+namespace Remi;
+
+class SELinux {
+	static private $ffi = null;
+
+	private static function init() {
+		if (self::$ffi) {
+			return;
+		}
+		// Try if preloaded
+		try {
+			self::$ffi = \FFI::scope("_REMI_SELINUX_");
+			echo "Using FFI::scope OK\n";
+		} catch (\FFI\Exception $e) {
+			// Try direct load
+			self::$ffi = \FFI::load(__DIR__ . '/preload-selinux.h');
+			echo "Using FFI::load OK\n";
+		}
+		if (!self::$ffi) {
+			throw new \RuntimeException("FFI parse fails");
+		}
+	}
+
+	public static function is_enabled(): bool {
+		self::init();
+
+		return (bool)self::$ffi->is_selinux_enabled();
+	}
+
+	public static function getenforce(): int {
+		self::init();
+
+		return self::$ffi->security_getenforce();
+	}
+}
+
diff --git a/selinux.php b/selinux.php
new file mode 100644
index 0000000..7443f95
--- /dev/null
+++ b/selinux.php
@@ -0,0 +1,28 @@
+<?php declare(strict_types=1);
+
+/** 
+ * SElinux test script
+ * PoC, only for documentation purpose
+ *
+ * Copyright (c) 2019 Remi Collet
+ * License: CC-BY-SA
+ * http://creativecommons.org/licenses/by-sa/4.0/
+ */
+
+if (PHP_VERSION_ID < 70400 || !extension_loaded("ffi")) {
+	die("PHP 7.4 with FFI required\n");
+}
+if (PHP_SAPI != "cli") {
+	Header('Content-Type: text/plain');
+}
+printf("PHP version %s\n", PHP_VERSION);
+
+if (PHP_SAPI == "cli" && !class_exists("\\Remi\\SELinux")) {
+	printf("Fallback on manual load\n");
+	require_once __DIR__ . '/preload-selinux.inc';
+} else {
+	printf("Use preloaded class\n");
+}
+
+printf("is_enabled = %s\n", \Remi\SELinux::is_enabled() ? "Yes" : "No");
+printf("getenforce = %s\n", \Remi\SELinux::getenforce());
-- 
cgit