From a90a93f1a4785a33ac0a48afa186e84645765d8a Mon Sep 17 00:00:00 2001
From: Gernot Vormayr <gvormayr@gmail.com>
Date: Tue, 2 Jul 2013 13:06:02 +0200
Subject: [PATCH 1/3] Add apparmor change hat functionality to fpm

---
 sapi/fpm/config.m4      | 17 +++++++++++++++++
 sapi/fpm/fpm/fpm_conf.c |  6 ++++++
 sapi/fpm/fpm/fpm_conf.h |  3 +++
 sapi/fpm/fpm/fpm_unix.c | 30 ++++++++++++++++++++++++++++++
 4 files changed, 56 insertions(+)

diff --git a/sapi/fpm/config.m4 b/sapi/fpm/config.m4
index 3d34c79588a31..87c5a60c50d0f 100644
--- a/sapi/fpm/config.m4
+++ b/sapi/fpm/config.m4
@@ -536,6 +536,22 @@ AC_DEFUN([AC_FPM_SELECT],
 ])
 dnl }}}
 
+AC_DEFUN([AC_FPM_APPARMOR],
+[
+        AC_MSG_CHECKING([for apparmor])
+
+        SAVED_LIBS="$LIBS"
+        LIBS="$LIBS -lapparmor"
+
+        AC_TRY_LINK([ #include <sys/apparmor.h> ], [change_hat("test", 0);], [
+	  AC_DEFINE([HAVE_APPARMOR], 1, [do we have apparmor support?])
+          AC_MSG_RESULT([yes])
+        ], [
+          LIBS="$SAVED_LIBS"
+          AC_MSG_RESULT([no])
+        ])
+])
+
 
 AC_MSG_CHECKING(for FPM build)
 if test "$PHP_FPM" != "no"; then
@@ -555,6 +571,7 @@ if test "$PHP_FPM" != "no"; then
 	AC_FPM_EPOLL
 	AC_FPM_POLL
 	AC_FPM_SELECT
+        AC_FPM_APPARMOR
 
   PHP_ARG_WITH(fpm-user,,
   [  --with-fpm-user[=USER]  Set the user for php-fpm to run as. (default: nobody)], nobody, no)
diff --git a/sapi/fpm/fpm/fpm_conf.c b/sapi/fpm/fpm/fpm_conf.c
index cd5fc34d0f2d0..9b699af99d8ef 100644
--- a/sapi/fpm/fpm/fpm_conf.c
+++ b/sapi/fpm/fpm/fpm_conf.c
@@ -149,6 +149,9 @@ static struct ini_value_parser_s ini_fpm_pool_options[] = {
 	{ "chdir",                     &fpm_conf_set_string,      WPO(chdir) },
 	{ "catch_workers_output",      &fpm_conf_set_boolean,     WPO(catch_workers_output) },
 	{ "security.limit_extensions", &fpm_conf_set_string,      WPO(security_limit_extensions) },
+#ifdef HAVE_APPARMOR
+        { "apparmor_hat",              &fpm_conf_set_string,      WPO(apparmor_hat) },
+#endif
 	{ 0, 0, 0 }
 };
 
@@ -644,6 +647,9 @@ int fpm_worker_pool_config_free(struct fpm_worker_pool_config_s *wpc) /* {{{ */
 	free(wpc->chroot);
 	free(wpc->chdir);
 	free(wpc->security_limit_extensions);
+#ifdef HAVE_APPARMOR
+        free(wpc->apparmor_hat);
+#endif
 
 	for (kv = wpc->php_values; kv; kv = kv_next) {
 		kv_next = kv->next;
diff --git a/sapi/fpm/fpm/fpm_conf.h b/sapi/fpm/fpm/fpm_conf.h
index efd65dc6d9d70..8cd8690f1874b 100644
--- a/sapi/fpm/fpm/fpm_conf.h
+++ b/sapi/fpm/fpm/fpm_conf.h
@@ -87,6 +87,9 @@ struct fpm_worker_pool_config_s {
 	struct key_value_s *env;
 	struct key_value_s *php_admin_values;
 	struct key_value_s *php_values;
+#ifdef HAVE_APPARMOR
+        char *apparmor_hat;
+#endif
 };
 
 struct ini_value_parser_s {
diff --git a/sapi/fpm/fpm/fpm_unix.c b/sapi/fpm/fpm/fpm_unix.c
index 48249e8a49488..1159a132472a1 100644
--- a/sapi/fpm/fpm/fpm_unix.c
+++ b/sapi/fpm/fpm/fpm_unix.c
@@ -17,6 +17,10 @@
 #include <sys/prctl.h>
 #endif
 
+#ifdef HAVE_APPARMOR
+#include <sys/apparmor.h>
+#endif
+
 #include "fpm.h"
 #include "fpm_conf.h"
 #include "fpm_cleanup.h"
@@ -222,6 +226,32 @@ int fpm_unix_init_child(struct fpm_worker_pool_s *wp) /* {{{ */
 	if (0 > fpm_clock_init()) {
 		return -1;
 	}
+
+#ifdef HAVE_APPARMOR
+        if (wp->config->apparmor_hat) {
+            char *con, *new_con;
+            if (aa_getcon(&con, NULL) == -1) {
+                zlog(ZLOG_SYSERROR, "[pool %s] failed to query apparmor confinement. Please check if \"/proc/*/attr/current\" is read and writeable.", wp->config->name);
+                return -1;
+            }
+            new_con = malloc(strlen(con) + strlen(wp->config->apparmor_hat) + 3); // // + 0 Byte
+            if (!new_con) {
+                zlog(ZLOG_SYSERROR, "[pool %s] failed to allocate memory for apparmor hat change.", wp->config->name);
+                return -1;
+            }
+            if (0 > sprintf(new_con, "%s//%s", con, wp->config->apparmor_hat)) {
+                zlog(ZLOG_SYSERROR, "[pool %s] failed to construct apparmor confinement.", wp->config->name);
+                return -1;
+            }
+            if (0 > aa_change_profile(new_con)) {
+                zlog(ZLOG_SYSERROR, "[pool %s] failed to change to new confinement (%s). Please check if \"/proc/*/attr/current\" is read and writeable and \"change_profile -> %s//*\" is allowed.", wp->config->name, new_con, con);
+                return -1;
+            }
+            free(con);
+            free(new_con);
+        }
+#endif
+
 	return 0;
 }
 /* }}} */

From 32d9409a24d3943761a24692984e7b0af2a72a9a Mon Sep 17 00:00:00 2001
From: Gernot Vormayr <gvormayr@gmail.com>
Date: Tue, 7 Jan 2014 00:19:01 +0100
Subject: [PATCH 2/3] Add --force-stderr to fpm

---
 sapi/fpm/fpm/fpm.c       |  4 +++-
 sapi/fpm/fpm/fpm.h       |  3 ++-
 sapi/fpm/fpm/fpm_main.c  | 12 ++++++++++--
 sapi/fpm/fpm/fpm_stdio.c |  2 +-
 4 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/sapi/fpm/fpm/fpm.c b/sapi/fpm/fpm/fpm.c
index b866f37f2d177..abfc78680151f 100644
--- a/sapi/fpm/fpm/fpm.c
+++ b/sapi/fpm/fpm/fpm.c
@@ -39,10 +39,11 @@ struct fpm_globals_s fpm_globals = {
 	.test_successful = 0,
 	.heartbeat = 0,
 	.run_as_root = 0,
+        .force_stderr = 0,
 	.send_config_pipe = {0, 0},
 };
 
-int fpm_init(int argc, char **argv, char *config, char *prefix, char *pid, int test_conf, int run_as_root, int force_daemon) /* {{{ */
+int fpm_init(int argc, char **argv, char *config, char *prefix, char *pid, int test_conf, int run_as_root, int force_daemon, int force_stderr) /* {{{ */
 {
 	fpm_globals.argc = argc;
 	fpm_globals.argv = argv;
@@ -52,6 +53,7 @@ int fpm_init(int argc, char **argv, char *config, char *prefix, char *pid, int t
 	fpm_globals.prefix = prefix;
 	fpm_globals.pid = pid;
 	fpm_globals.run_as_root = run_as_root;
+        fpm_globals.force_stderr = force_stderr;
 
 	if (0 > fpm_php_init_main()           ||
 	    0 > fpm_stdio_init_main()         ||
diff --git a/sapi/fpm/fpm/fpm.h b/sapi/fpm/fpm/fpm.h
index 65d0e0d69127e..68642a955d1b7 100644
--- a/sapi/fpm/fpm/fpm.h
+++ b/sapi/fpm/fpm/fpm.h
@@ -37,7 +37,7 @@
 
 
 int fpm_run(int *max_requests);
-int fpm_init(int argc, char **argv, char *config, char *prefix, char *pid, int test_conf, int run_as_root, int force_daemon);
+int fpm_init(int argc, char **argv, char *config, char *prefix, char *pid, int test_conf, int run_as_root, int force_daemon, int force_stderr);
 
 struct fpm_globals_s {
 	pid_t parent_pid;
@@ -55,6 +55,7 @@ struct fpm_globals_s {
 	int test_successful;
 	int heartbeat;
 	int run_as_root;
+        int force_stderr;
 	int send_config_pipe[2];
 };
 
diff --git a/sapi/fpm/fpm/fpm_main.c b/sapi/fpm/fpm/fpm_main.c
index 043e0e00a47c0..77e13a2d056c7 100644
--- a/sapi/fpm/fpm/fpm_main.c
+++ b/sapi/fpm/fpm/fpm_main.c
@@ -157,6 +157,7 @@ static const opt_struct OPTIONS[] = {
 	{'R', 0, "allow-to-run-as-root"},
 	{'D', 0, "daemonize"},
 	{'F', 0, "nodaemonize"},
+        {'O', 0, "force-stderr"},
 	{'-', 0, NULL} /* end of args */
 };
 
@@ -918,7 +919,7 @@ static void php_cgi_usage(char *argv0)
 		prog = "php";
 	}
 
-	php_printf(	"Usage: %s [-n] [-e] [-h] [-i] [-m] [-v] [-t] [-p <prefix>] [-g <pid>] [-c <file>] [-d foo[=bar]] [-y <file>] [-D] [-F]\n"
+	php_printf(	"Usage: %s [-n] [-e] [-h] [-i] [-m] [-v] [-t] [-p <prefix>] [-g <pid>] [-c <file>] [-d foo[=bar]] [-y <file>] [-D] [-F [-O]]\n"
 				"  -c <path>|<file> Look for php.ini file in this directory\n"
 				"  -n               No php.ini file will be used\n"
 				"  -d foo[=bar]     Define INI entry foo with value 'bar'\n"
@@ -937,6 +938,8 @@ static void php_cgi_usage(char *argv0)
 				"  -D, --daemonize  force to run in background, and ignore daemonize option from config file\n"
 				"  -F, --nodaemonize\n"
 				"                   force to stay in foreground, and ignore daemonize option from config file\n"
+                                "  -O, --force-stderr\n"
+                                "                   force output to stderr in nodaemonize even if stderr is not a TTY\n"
 				"  -R, --allow-to-run-as-root\n"
 				"                   Allow pool to run as root (disabled by default)\n",
 				prog, PHP_PREFIX);
@@ -1569,6 +1572,7 @@ int main(int argc, char *argv[])
 	char *fpm_pid = NULL;
 	int test_conf = 0;
 	int force_daemon = -1;
+        int force_stderr = 0;
 	int php_information = 0;
 	int php_allow_to_run_as_root = 0;
 
@@ -1697,6 +1701,10 @@ int main(int argc, char *argv[])
 				force_daemon = 0;
 				break;
 
+                        case 'O': /* force stderr even on non tty */
+                                force_stderr = 1;
+                                break;
+
 			default:
 			case 'h':
 			case '?':
@@ -1824,7 +1832,7 @@ consult the installation file that came with this distribution, or visit \n\
 		}
 	}
 
-	if (0 > fpm_init(argc, argv, fpm_config ? fpm_config : CGIG(fpm_config), fpm_prefix, fpm_pid, test_conf, php_allow_to_run_as_root, force_daemon)) {
+	if (0 > fpm_init(argc, argv, fpm_config ? fpm_config : CGIG(fpm_config), fpm_prefix, fpm_pid, test_conf, php_allow_to_run_as_root, force_daemon, force_stderr)) {
 
 		if (fpm_globals.send_config_pipe[1]) {
 			int writeval = 0;
diff --git a/sapi/fpm/fpm/fpm_stdio.c b/sapi/fpm/fpm/fpm_stdio.c
index d81e10150db6d..33b0e01c87cd5 100644
--- a/sapi/fpm/fpm/fpm_stdio.c
+++ b/sapi/fpm/fpm/fpm_stdio.c
@@ -292,7 +292,7 @@ int fpm_stdio_open_error_log(int reopen) /* {{{ */
 	} else {
 		fpm_globals.error_log_fd = fd;
 #if HAVE_UNISTD_H
-		if (fpm_global_config.daemonize || !isatty(STDERR_FILENO)) {
+		if (fpm_global_config.daemonize || (!isatty(STDERR_FILENO) && !fpm_globals.force_stderr)) {
 #else
 		if (fpm_global_config.daemonize) {
 #endif

From e9883779a0d00fef3481af2806a918abe33fd3f4 Mon Sep 17 00:00:00 2001
From: Gernot Vormayr <gvormayr@gmail.com>
Date: Tue, 7 Jan 2014 00:21:24 +0100
Subject: [PATCH 3/3] Add some basic and apparmor tests to fpm

---
 run-tests.php                   |  2 +-
 sapi/fpm/tests/001.phpt         | 21 +++++++++
 sapi/fpm/tests/002.phpt         | 53 ++++++++++++++++++++++
 sapi/fpm/tests/apparmor.phpt    | 54 ++++++++++++++++++++++
 sapi/fpm/tests/include.inc      | 79 +++++++++++++++++++++++++++++++++
 sapi/fpm/tests/skipapparmor.inc | 30 +++++++++++++
 sapi/fpm/tests/skipif.inc       | 13 ++++++
 7 files changed, 251 insertions(+), 1 deletion(-)
 create mode 100644 sapi/fpm/tests/001.phpt
 create mode 100644 sapi/fpm/tests/002.phpt
 create mode 100644 sapi/fpm/tests/apparmor.phpt
 create mode 100644 sapi/fpm/tests/include.inc
 create mode 100644 sapi/fpm/tests/skipapparmor.inc
 create mode 100644 sapi/fpm/tests/skipif.inc

diff --git a/run-tests.php b/run-tests.php
index 8c8df610b8c02..3903bd8481ff3 100755
--- a/run-tests.php
+++ b/run-tests.php
@@ -838,7 +838,7 @@ function save_or_mail_results()
 $ignored_by_ext = 0;
 sort($exts_to_test);
 $test_dirs = array();
-$optionals = array('tests', 'ext', 'Zend', 'ZendEngine2', 'sapi/cli', 'sapi/cgi');
+$optionals = array('tests', 'ext', 'Zend', 'ZendEngine2', 'sapi/cli', 'sapi/cgi', 'sapi/fpm');
 
 foreach($optionals as $dir) {
 	if (@filetype($dir) == 'dir') {
diff --git a/sapi/fpm/tests/001.phpt b/sapi/fpm/tests/001.phpt
new file mode 100644
index 0000000000000..b721bfa9254a7
--- /dev/null
+++ b/sapi/fpm/tests/001.phpt
@@ -0,0 +1,21 @@
+--TEST--
+FPM: version string
+--SKIPIF--
+<?php include "skipif.inc"; ?>
+--FILE--
+<?php
+
+include "include.inc";
+
+$php = get_fpm_path();
+
+var_dump(`$php -n -v`);
+
+echo "Done\n";
+?>
+--EXPECTF--
+string(%d) "PHP %s (fpm%s (built: %s
+Copyright (c) 1997-20%s The PHP Group
+Zend Engine v%s, Copyright (c) 1998-20%s Zend Technologies
+"
+Done
diff --git a/sapi/fpm/tests/002.phpt b/sapi/fpm/tests/002.phpt
new file mode 100644
index 0000000000000..2ef6cedc3856a
--- /dev/null
+++ b/sapi/fpm/tests/002.phpt
@@ -0,0 +1,53 @@
+--TEST--
+FPM: Startup and connect
+--SKIPIF--
+<?php include "skipif.inc"; ?>
+--FILE--
+<?php
+
+include "include.inc";
+
+$logfile = dirname(__FILE__).'/php-fpm.log.tmp';
+
+$cfg = <<<EOT
+[global]
+error_log = $logfile
+[unconfined]
+listen = 127.0.0.1:9000
+pm = dynamic
+pm.max_children = 5
+pm.start_servers = 2
+pm.min_spare_servers = 1
+pm.max_spare_servers = 3
+EOT;
+
+$fpm = run_fpm($cfg, $tail);
+if (is_resource($fpm)) {
+    var_dump(fgets($tail));
+    var_dump(fgets($tail));
+    $i = 0;
+    while (($i++ < 30) && !($fp = @fsockopen('127.0.0.1', 9000))) {
+        usleep(10000);
+    }
+    if ($fp) {
+        echo "Done\n";
+        fclose($fp);
+    }
+    proc_terminate($fpm);
+    stream_get_contents($tail);
+    fclose($tail);
+    proc_close($fpm);
+}
+
+?>
+--EXPECTF--
+string(%d) "[%d-%s-%d %d:%d:%d] NOTICE: fpm is running, pid %d
+"
+string(%d) "[%d-%s-%d %d:%d:%d] NOTICE: ready to handle connections
+"
+Done
+--CLEAN--
+<?php
+    $logfile = dirname(__FILE__).'/php-fpm.log.tmp';
+    @unlink($logfile);
+?>
diff --git a/sapi/fpm/tests/apparmor.phpt b/sapi/fpm/tests/apparmor.phpt
new file mode 100644
index 0000000000000..cf9bd71118113
--- /dev/null
+++ b/sapi/fpm/tests/apparmor.phpt
@@ -0,0 +1,54 @@
+--TEST--
+FPM: Apparmor Test
+--DESCRIPTION--
+This test tries to launches a pool which tries to change to non existing
+apparmor hat a. Test succeeds if apparmor is not running or hat is non
+existant.
+--SKIPIF--
+<?php
+include "skipif.inc";
+include "skipapparmor.inc";
+
+?>
+--FILE--
+<?php
+
+include "include.inc";
+
+$logfile = dirname(__FILE__).'/php-fpm.log.tmp';
+
+$cfg = <<<EOT
+[global]
+error_log = $logfile
+[a]
+listen = 127.0.0.1:9001
+pm = dynamic
+pm.max_children = 5
+pm.start_servers = 2
+pm.min_spare_servers = 1
+pm.max_spare_servers = 3
+apparmor_hat = a
+EOT;
+
+/* libapparmor has a bug which can cause SIGSEGV till Version 2.8.0-0ubuntu28
+   See https://bugs.launchpad.net/apparmor/+bug/1196880
+   Possible outcomes:
+
+   - SIGSEGV|failed to query apparmor confinement
+     apparmor not running
+   - failed to change to new confinement
+     something in apparmor went wrong
+   - exited with code 70
+     Change to successful; Hat not existant (Process gets killed by apparmor)
+ */
+var_dump(run_fpm_till('/(SIGSEGV|failed to query apparmor confinement|failed to change to new confinement|exited with code 70)/', $cfg));
+
+?>
+--EXPECTF--
+string(%d) "%s
+"
+--CLEAN--
+<?php
+    $logfile = dirname(__FILE__).'/php-fpm.log.tmp';
+    @unlink($logfile);
+?>
diff --git a/sapi/fpm/tests/include.inc b/sapi/fpm/tests/include.inc
new file mode 100644
index 0000000000000..983cbd345414b
--- /dev/null
+++ b/sapi/fpm/tests/include.inc
@@ -0,0 +1,79 @@
+<?php
+
+function get_fpm_path() /* {{{ */
+{
+	$php_path = getenv("TEST_PHP_EXECUTABLE");
+
+	for ($i = 0; $i < 2; $i++) {
+		$slash_pos = strrpos($php_path, "/");
+		if ($slash_pos) {
+			$php_path = substr($php_path, 0, $slash_pos);
+		} else {
+			return false;
+		}
+	}
+
+	if ($php_path && is_dir($php_path) && file_exists($php_path."/fpm/php-fpm") && is_executable($php_path."/fpm/php-fpm")) { 
+		/* gotcha */
+		return $php_path."/fpm/php-fpm";
+	}
+	return false;
+}
+/* }}} */
+
+function run_fpm($config, &$out = false, $extra_args = '') /* {{{ */
+{
+    $cfg = dirname(__FILE__).'/test-fpm-config.tmp';
+    file_put_contents($cfg, $config);
+    $desc = [];
+    if ($out !== false) {
+        $desc = [1 => array('pipe', 'w')];
+    }
+    /* Since it's not possible to spawn a process under linux without using a
+     * shell in php (why?!?) we need a little shell trickery, so that we can
+     * actually kill php-fpm */
+    $fpm = proc_open('killit () { kill $child; }; trap killit TERM; '.get_fpm_path().' -F -O -y '.$cfg.' '.$extra_args.' 2>&1 & child=$!; wait', $desc, $pipes);
+    register_shutdown_function(
+            function($fpm) use($cfg) {
+                    @unlink($cfg);
+                    if (is_resource($fpm)) {
+                        @proc_terminate($fpm);
+                        while (proc_get_status($fpm)['running']) {
+                            usleep(10000);
+                        }
+                    }
+            },
+                    $fpm
+            );
+    if ($out !== false) {
+        $out = $pipes[1];
+    }
+    return $fpm;
+}
+/* }}} */
+
+function run_fpm_till($needle, $config, $max = 10) /* {{{ */
+{
+    $i = 0;
+    $fpm = run_fpm($config, $tail);
+    if (is_resource($fpm)) {
+        while($i < $max) {
+            $i++;
+            $line = fgets($tail);
+            if(preg_match($needle, $line) === 1) {
+                break;
+            }
+        }
+        if ($i >= $max) {
+            $line = false;
+        }
+        proc_terminate($fpm);
+        stream_get_contents($tail);
+        fclose($tail);
+        proc_close($fpm);
+    }
+    return $line;
+}
+/* }}} */
+
+?>
diff --git a/sapi/fpm/tests/skipapparmor.inc b/sapi/fpm/tests/skipapparmor.inc
new file mode 100644
index 0000000000000..b286d0361dcb4
--- /dev/null
+++ b/sapi/fpm/tests/skipapparmor.inc
@@ -0,0 +1,30 @@
+<?php
+
+$logfile = dirname(__FILE__).'/php-fpm.log.tmp';
+$cfg = <<<EOT
+[global]
+error_log = $logfile
+[a]
+listen = 127.0.0.1:9001
+pm = dynamic
+pm.max_children = 5
+pm.start_servers = 2
+pm.min_spare_servers = 1
+pm.max_spare_servers = 3
+apparmor_hat = a
+EOT;
+
+$fpm = run_fpm($cfg, $out, '-t');
+$ok = false;
+if (is_resource($fpm)) {
+    if (strpos(stream_get_contents($out), "test is successful") !== FALSE) {
+        $ok = true;
+    }
+    fclose($out);
+    proc_close($fpm);
+}
+if (!$ok) {
+    die("skip No apparmor support built in");
+}
+
+?>
diff --git a/sapi/fpm/tests/skipif.inc b/sapi/fpm/tests/skipif.inc
new file mode 100644
index 0000000000000..8c569daafdc7e
--- /dev/null
+++ b/sapi/fpm/tests/skipif.inc
@@ -0,0 +1,13 @@
+<?php
+
+if (substr(PHP_OS, 0, 3) == 'WIN') {
+	die ("skip not for Windows");
+}
+
+include dirname(__FILE__)."/include.inc";
+
+if (!get_fpm_path()) {
+	die("skip FPM not found");
+}
+
+?>