security: pool separation and security option

Author: zeriyoshi

ext/opcache/ZendAccelerator.h

@@ -152,6 +152,7 @@ typedef struct _zend_accel_directives {
 	zend_long           memory_consumption;
 	zend_long           static_cache_volatile_size_mb;
 	zend_long           static_cache_pinned_size_mb;
+	bool                static_cache_allow_unsafe_runtime;
 	zend_long           max_accelerated_files;
 	double         max_wasted_percentage;
 	char          *user_blacklist_filename;

ext/opcache/tests/fpm/static_cache_fpm_pool_separate_001.phpt

@@ -0,0 +1,147 @@
+--TEST--
+FPM: OPcache Static Cache is separated between pools
+--SKIPIF--
+<?php include __DIR__ . '/skipif.inc'; ?>
+--FILE--
+<?php
+
+require_once __DIR__ . '/tester.inc';
+
+$cfg = <<<EOT
+[global]
+error_log = {{FILE:LOG}}
+[alpha]
+listen = {{ADDR[alpha]}}
+pm = static
+pm.max_children = 1
+pm.max_requests = 0
+catch_workers_output = yes
+[beta]
+listen = {{ADDR[beta]}}
+pm = static
+pm.max_children = 1
+pm.max_requests = 0
+catch_workers_output = yes
+EOT;
+
+$code = <<<'PHP'
+<?php
+
+#[OPcache\PinnedStatic]
+class FpmPoolSeparatePinnedStatic
+{
+    public static int $value = 0;
+}
+
+class FpmPoolSeparatePinnedProperty
+{
+    #[OPcache\PinnedStatic]
+    public static int $value = 0;
+}
+
+class FpmPoolSeparatePinnedMethod
+{
+    #[OPcache\PinnedStatic]
+    public static function value(?int $value = null): int
+    {
+        static $stored = 0;
+
+        if ($value !== null) {
+            $stored = $value;
+        }
+
+        return $stored;
+    }
+}
+
+$action = $_GET['action'] ?? 'fetch';
+$pool = $_GET['pool'] ?? 'unknown';
+$volatileKey = 'fpm_pool_separate_shared_key';
+$pinnedKey = 'fpm_pool_separate_pinned_key';
+
+if ($action === 'seed') {
+    $base = $pool === 'alpha' ? 100 : 200;
+
+    OPcache\volatile_store($volatileKey, $pool . '-volatile');
+    OPcache\pinned_store($pinnedKey, $pool . '-pinned');
+    FpmPoolSeparatePinnedStatic::$value = $base + 1;
+    FpmPoolSeparatePinnedProperty::$value = $base + 2;
+    FpmPoolSeparatePinnedMethod::value($base + 3);
+}
+
+printf(
+    "%s:%s:%s:%d:%d:%d\n",
+    $pool,
+    OPcache\volatile_fetch($volatileKey, 'MISS'),
+    OPcache\pinned_fetch($pinnedKey, 'MISS'),
+    FpmPoolSeparatePinnedStatic::$value,
+    FpmPoolSeparatePinnedProperty::$value,
+    FpmPoolSeparatePinnedMethod::value()
+);
+PHP;
+
+function expectPoolState(FPM\Tester $tester, string $pool, string $expected): void
+{
+    $response = $tester->request(
+        query: 'action=fetch&pool=' . $pool,
+        address: '{{ADDR[' . $pool . ']}}',
+    );
+    $body = trim((string) $response->getBody());
+    if ($body !== $expected) {
+        throw new RuntimeException(sprintf(
+            'Unexpected state for pool %s: expected %s, got %s',
+            $pool,
+            $expected,
+            $body
+        ));
+    }
+}
+
+function seedPool(FPM\Tester $tester, string $pool, string $expected): void
+{
+    $response = $tester->request(
+        query: 'action=seed&pool=' . $pool,
+        address: '{{ADDR[' . $pool . ']}}',
+    );
+    $body = trim((string) $response->getBody());
+    if ($body !== $expected) {
+        throw new RuntimeException(sprintf(
+            'Unexpected seed state for pool %s: expected %s, got %s',
+            $pool,
+            $expected,
+            $body
+        ));
+    }
+}
+
+$tester = new FPM\Tester($cfg, $code);
+$tester->start(iniEntries: [
+    'opcache.enable' => '1',
+    'opcache.static_cache.volatile_size_mb' => '32',
+    'opcache.static_cache.pinned_size_mb' => '32',
+    'opcache.file_update_protection' => '0',
+]);
+$tester->expectLogStartNotices();
+
+seedPool($tester, 'alpha', 'alpha:alpha-volatile:alpha-pinned:101:102:103');
+expectPoolState($tester, 'alpha', 'alpha:alpha-volatile:alpha-pinned:101:102:103');
+expectPoolState($tester, 'beta', 'beta:MISS:MISS:0:0:0');
+
+seedPool($tester, 'beta', 'beta:beta-volatile:beta-pinned:201:202:203');
+expectPoolState($tester, 'alpha', 'alpha:alpha-volatile:alpha-pinned:101:102:103');
+expectPoolState($tester, 'beta', 'beta:beta-volatile:beta-pinned:201:202:203');
+
+$tester->terminate();
+$tester->expectLogTerminatingNotices();
+$tester->close();
+
+echo "Done\n";
+
+?>
+--EXPECT--
+Done
+--CLEAN--
+<?php
+require_once __DIR__ . '/tester.inc';
+FPM\Tester::clean();
+?>

ext/opcache/tests/static_cache_unsafe_runtime_cgi_001.phpt

@@ -0,0 +1,46 @@
+--TEST--
+OPcache Static Cache is disabled by default for unsafe cgi-fcgi runtime
+--EXTENSIONS--
+opcache
+--CGI--
+--INI--
+opcache.enable=1
+opcache.static_cache.volatile_size_mb=8
+opcache.static_cache.pinned_size_mb=8
+--FILE--
+<?php
+
+echo PHP_SAPI, "\n";
+
+$configuration = opcache_get_configuration();
+var_dump($configuration['directives']['opcache.static_cache.allow_unsafe_runtime']);
+
+$volatile = OPcache\volatile_cache_info();
+$pinned = OPcache\pinned_cache_info();
+
+echo "volatile\n";
+var_dump($volatile->enabled);
+var_dump($volatile->available);
+var_dump($volatile->failure_reason);
+var_dump(OPcache\volatile_store('key', 'volatile'));
+
+echo "pinned\n";
+var_dump($pinned->enabled);
+var_dump($pinned->available);
+var_dump($pinned->failure_reason);
+var_dump(OPcache\pinned_store('key', 'pinned'));
+
+?>
+--EXPECT--
+cgi-fcgi
+bool(false)
+volatile
+bool(true)
+bool(false)
+string(96) "Static Cache is disabled for this SAPI unless opcache.static_cache.allow_unsafe_runtime=1 is set"
+bool(false)
+pinned
+bool(true)
+bool(false)
+string(96) "Static Cache is disabled for this SAPI unless opcache.static_cache.allow_unsafe_runtime=1 is set"
+bool(false)

ext/opcache/tests/static_cache_unsafe_runtime_cgi_002.phpt

@@ -0,0 +1,47 @@
+--TEST--
+OPcache Static Cache can be enabled explicitly for unsafe cgi-fcgi runtime
+--EXTENSIONS--
+opcache
+--CGI--
+--INI--
+opcache.enable=1
+opcache.static_cache.volatile_size_mb=8
+opcache.static_cache.pinned_size_mb=8
+opcache.static_cache.allow_unsafe_runtime=1
+--FILE--
+<?php
+
+echo PHP_SAPI, "\n";
+
+$configuration = opcache_get_configuration();
+var_dump($configuration['directives']['opcache.static_cache.allow_unsafe_runtime']);
+
+$volatile = OPcache\volatile_cache_info();
+$pinned = OPcache\pinned_cache_info();
+
+echo "volatile\n";
+var_dump($volatile->enabled);
+var_dump($volatile->available);
+var_dump($volatile->failure_reason);
+var_dump(OPcache\volatile_store('key', 'volatile'));
+
+echo "pinned\n";
+var_dump($pinned->enabled);
+var_dump($pinned->available);
+var_dump($pinned->failure_reason);
+var_dump(OPcache\pinned_store('key', 'pinned'));
+
+?>
+--EXPECT--
+cgi-fcgi
+bool(true)
+volatile
+bool(true)
+bool(true)
+NULL
+bool(true)
+pinned
+bool(true)
+bool(true)
+NULL
+bool(true)

ext/opcache/zend_accelerator_module.c

@@ -372,6 +372,7 @@ ZEND_INI_BEGIN()
 	STD_PHP_INI_ENTRY("opcache.memory_consumption"    , "128"  , PHP_INI_SYSTEM, OnUpdateMemoryConsumption,    accel_directives.memory_consumption,        zend_accel_globals, accel_globals)
 	STD_PHP_INI_ENTRY("opcache.static_cache.volatile_size_mb", "8", PHP_INI_SYSTEM, OnUpdateStaticCacheVolatileSizeMb, accel_directives.static_cache_volatile_size_mb, zend_accel_globals, accel_globals)
 	STD_PHP_INI_ENTRY("opcache.static_cache.pinned_size_mb", "8", PHP_INI_SYSTEM, OnUpdateStaticCachePinnedSizeMb, accel_directives.static_cache_pinned_size_mb, zend_accel_globals, accel_globals)
+	STD_PHP_INI_BOOLEAN("opcache.static_cache.allow_unsafe_runtime", "0", PHP_INI_SYSTEM, OnUpdateBool, accel_directives.static_cache_allow_unsafe_runtime, zend_accel_globals, accel_globals)
 	STD_PHP_INI_ENTRY("opcache.interned_strings_buffer", "8"  , PHP_INI_SYSTEM, OnUpdateInternedStringsBuffer,	 accel_directives.interned_strings_buffer,   zend_accel_globals, accel_globals)
 	STD_PHP_INI_ENTRY("opcache.max_accelerated_files" , "10000", PHP_INI_SYSTEM, OnUpdateMaxAcceleratedFiles,	 accel_directives.max_accelerated_files,     zend_accel_globals, accel_globals)
 	STD_PHP_INI_ENTRY("opcache.max_wasted_percentage" , "5"   , PHP_INI_SYSTEM, OnUpdateMaxWastedPercentage,	 accel_directives.max_wasted_percentage,     zend_accel_globals, accel_globals)
@@ -944,6 +945,7 @@ ZEND_FUNCTION(opcache_get_configuration)
 	add_assoc_long(&directives,	 "opcache.memory_consumption",     ZCG(accel_directives).memory_consumption);
 	add_assoc_long(&directives,	 "opcache.static_cache.volatile_size_mb", ZCG(accel_directives).static_cache_volatile_size_mb);
 	add_assoc_long(&directives,	 "opcache.static_cache.pinned_size_mb", ZCG(accel_directives).static_cache_pinned_size_mb);
+	add_assoc_bool(&directives,	 "opcache.static_cache.allow_unsafe_runtime", ZCG(accel_directives).static_cache_allow_unsafe_runtime);
 	add_assoc_long(&directives,	 "opcache.interned_strings_buffer",ZCG(accel_directives).interned_strings_buffer);
 	add_assoc_long(&directives, 	 "opcache.max_accelerated_files",  ZCG(accel_directives).max_accelerated_files);
 	add_assoc_double(&directives, "opcache.max_wasted_percentage",  ZCG(accel_directives).max_wasted_percentage);