mirrors/php-src
0
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2024-11-23 18:04:36 +08:00
Code Issues Packages Projects Releases Wiki Activity

Add extra check for FPM proc dumpable on SELinux based systems

Browse Source 
The deny_ptrace is a OS runtime setting and is off by default,
at least on workstations flavors (fedora) however it might be
different on production servers.
This commit is contained in:
David Carlier 2021-11-12 18:38:55 +00:00 committed by Jakub Zelenka
parent cdf7240f75
commit 7bb2a9ff38
No known key found for this signature in database
GPG Key ID: 0A9C643FA7A5EB4F
3 changed files with 31 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
NEWS
View File

@ -12,6 +12,8 @@ PHP NEWS
- FPM:
. Emit error for invalid port setting. (David Carlier)
. Added extra check for FPM proc dumpable on SELinux based systems.
(David Carlier)
- Intl:
. Update all grandfathered language tags with preferred values

14
sapi/fpm/config.m4
View File

@ -563,6 +563,12 @@ if test "$PHP_FPM" != "no"; then
[no],
[no])
PHP_ARG_WITH([fpm-selinux],,
[AS_HELP_STRING([--with-fpm-selinux],
[Support SELinux policy library])],
[no],
[no])
if test "$PHP_FPM_SYSTEMD" != "no" ; then
PKG_CHECK_MODULES([SYSTEMD], [libsystemd >= 209])
@ -605,6 +611,14 @@ if test "$PHP_FPM" != "no"; then
])
fi
if test "x$PHP_FPM_SELINUX" != "xno" ; then
AC_CHECK_HEADERS([selinux/selinux.h])
AC_CHECK_LIB(selinux, security_setenforce, [
PHP_ADD_LIBRARY(selinux)
AC_DEFINE(HAVE_SELINUX, 1, [ SElinux available ])
],[])
fi
PHP_SUBST_OLD(php_fpm_systemd)
AC_DEFINE_UNQUOTED(PHP_FPM_SYSTEMD, "$php_fpm_systemd", [fpm systemd service type])

17
sapi/fpm/fpm/fpm_unix.c
View File

@ -31,6 +31,10 @@
#include <sys/acl.h>
#endif
#ifdef HAVE_SELINUX
#include <selinux/selinux.h>
#endif
#include "fpm.h"
#include "fpm_conf.h"
#include "fpm_cleanup.h"
@ -412,8 +416,17 @@ int fpm_unix_init_child(struct fpm_worker_pool_s *wp) /* {{{ */
}
#ifdef HAVE_PRCTL
if (wp->config->process_dumpable && 0 > prctl(PR_SET_DUMPABLE, 1, 0, 0, 0)) {
zlog(ZLOG_SYSERROR, "[pool %s] failed to prctl(PR_SET_DUMPABLE)", wp->config->name);
if (wp->config->process_dumpable) {
int dumpable = 1;
#ifdef HAVE_SELINUX
if (security_get_boolean_active("deny_ptrace") == 1) {
zlog(ZLOG_SYSERROR, "[pool %s] ptrace is denied", wp->config->name);
dumpable = 0;
}
#endif
if (dumpable && 0 > prctl(PR_SET_DUMPABLE, 1, 0, 0, 0)) {
zlog(ZLOG_SYSERROR, "[pool %s] failed to prctl(PR_SET_DUMPABLE)", wp->config->name);
}
}
#endif