diff options
| -rw-r--r-- | README | 2 | ||||
| -rw-r--r-- | preload-selinux.h | 11 | ||||
| -rw-r--r-- | preload-selinux.inc | 45 | ||||
| -rw-r--r-- | selinux.php | 28 |
4 files changed, 85 insertions, 1 deletions
@@ -38,7 +38,7 @@ http://creativecommons.org/licenses/by-sa/4.0/ -Needed copnfiguration: +Needed configuration: opcache.enable=1 opcache.enable_cli=1 diff --git a/preload-selinux.h b/preload-selinux.h new file mode 100644 index 0000000..5d24b3f --- /dev/null +++ b/preload-selinux.h @@ -0,0 +1,11 @@ +#define FFI_SCOPE "_REMI_SELINUX_" +#define FFI_LIB "libselinux.so.1" + +/* Copy/paste from selinux/*.h */ + +/* Return 1 if we are running on a SELinux kernel, or 0 if not or -1 if we get an error. */ +extern int is_selinux_enabled(void); + +/* Get the enforce flag value. */ +extern int security_getenforce(void); + diff --git a/preload-selinux.inc b/preload-selinux.inc new file mode 100644 index 0000000..cc09581 --- /dev/null +++ b/preload-selinux.inc @@ -0,0 +1,45 @@ +<?php +/** + * ZSTD compressor using FFI and libselinux + * PoC, only for documentation purpose + * + * Copyright (c) 2019 Remi Collet + * License: CC-BY-SA + * http://creativecommons.org/licenses/by-sa/4.0/ + */ +namespace Remi; + +class SELinux { + static private $ffi = null; + + private static function init() { + if (self::$ffi) { + return; + } + // Try if preloaded + try { + self::$ffi = \FFI::scope("_REMI_SELINUX_"); + echo "Using FFI::scope OK\n"; + } catch (\FFI\Exception $e) { + // Try direct load + self::$ffi = \FFI::load(__DIR__ . '/preload-selinux.h'); + echo "Using FFI::load OK\n"; + } + if (!self::$ffi) { + throw new \RuntimeException("FFI parse fails"); + } + } + + public static function is_enabled(): bool { + self::init(); + + return (bool)self::$ffi->is_selinux_enabled(); + } + + public static function getenforce(): int { + self::init(); + + return self::$ffi->security_getenforce(); + } +} + diff --git a/selinux.php b/selinux.php new file mode 100644 index 0000000..7443f95 --- /dev/null +++ b/selinux.php @@ -0,0 +1,28 @@ +<?php declare(strict_types=1); + +/** + * SElinux test script + * PoC, only for documentation purpose + * + * Copyright (c) 2019 Remi Collet + * License: CC-BY-SA + * http://creativecommons.org/licenses/by-sa/4.0/ + */ + +if (PHP_VERSION_ID < 70400 || !extension_loaded("ffi")) { + die("PHP 7.4 with FFI required\n"); +} +if (PHP_SAPI != "cli") { + Header('Content-Type: text/plain'); +} +printf("PHP version %s\n", PHP_VERSION); + +if (PHP_SAPI == "cli" && !class_exists("\\Remi\\SELinux")) { + printf("Fallback on manual load\n"); + require_once __DIR__ . '/preload-selinux.inc'; +} else { + printf("Use preloaded class\n"); +} + +printf("is_enabled = %s\n", \Remi\SELinux::is_enabled() ? "Yes" : "No"); +printf("getenforce = %s\n", \Remi\SELinux::getenforce()); |