diff --git a/.gitignore b/.gitignore index eb8d3e7..88d0f0f 100644 --- a/.gitignore +++ b/.gitignore @@ -27,10 +27,10 @@ missing mkinstalldirs modules run-tests.php -tests/*/*.diff -tests/*/*.out -tests/*/*.php -tests/*/*.exp -tests/*/*.log -tests/*/*.sh -php-7.0.core +tests/*.diff +tests/*.out +tests/*.php +tests/*.exp +tests/*.log +tests/*.sh +*.core diff --git a/README.md b/README.md index 9d921ec..943df54 100644 --- a/README.md +++ b/README.md @@ -65,8 +65,35 @@ All promises are documented in [the OpenBSD pledge(2) manual page](http://man.op If the PHP ```pledge()``` call fails, it will throw a ```\PledgeException```. +To set pledges on an execve child: + +``` +pledge(null, 'tty stdio error rpath'); +pcntl_exec('/bin/ls'); +``` + ## Unveil usage +``` +# wworks +print_r(scandir('/var')); + +# Limit read only access to /var/spool +unveil('/var/spool', 'r'); + +# No longer works +print_r(scandir('/var')); +# Works +print_r(scandir('/var/spool')); + +# Disallow more unveils +unveil(); + +# No longer works +unveil('/var', 'r'); + +``` + If the PHP ```unveil()``` call fails, it will throw a ```\UnveilException```. ## Notes diff --git a/pledge.c b/pledge.c index 459eaed..672197a 100644 --- a/pledge.c +++ b/pledge.c @@ -75,8 +75,8 @@ PHP_FUNCTION(pledge) { ZEND_PARSE_PARAMETERS_START(0, 2) Z_PARAM_OPTIONAL - Z_PARAM_STRING(promises, promises_len) - Z_PARAM_STRING(execpromises, execpromises_len) + Z_PARAM_STRING_EX(promises, promises_len, 1, 0) + Z_PARAM_STRING_EX(execpromises, execpromises_len, 1, 0) ZEND_PARSE_PARAMETERS_END(); if (pledge(promises, execpromises) != 0) { @@ -105,8 +105,8 @@ PHP_FUNCTION(unveil) { ZEND_PARSE_PARAMETERS_START(0, 2) Z_PARAM_OPTIONAL - Z_PARAM_STRING(path, path_len) - Z_PARAM_STRING(permissions, permissions_len) + Z_PARAM_STRING_EX(path, path_len, 1, 0) + Z_PARAM_STRING_EX(permissions, permissions_len, 1, 0) ZEND_PARSE_PARAMETERS_END(); if (unveil(path, permissions) != 0) {