Hi,
On 2025. 06. 14. 18:10, Nadav Tasher wrote:
This patch adds an experimental configuration option to allow the
applet_execve function to treat all applets as if they were NOEXEC.
This is experimental, as noted in the configuration description.
Signed-off-by: Nadav Tasher <[email protected]>
---
Config.in | 12 ++++++++++++
include/busybox.h | 6 +++++-
2 files changed, 17 insertions(+), 1 deletion(-)
diff --git a/Config.in b/Config.in
index 9fd5f3d7c..7a8a98a73 100644
--- a/Config.in
+++ b/Config.in
@@ -331,6 +331,18 @@ config FEATURE_FORCE_APPLETS
This feature extends the "exec prefers applets" feature.
+config FEATURE_ALWAYS_NOEXEC
+ bool "all applets support NOEXEC (experimental)"
+ default n
+ depends on FEATURE_PREFER_APPLETS && !NOMMU
+ help
+ This is an experimental option which makes all applets support NOEXEC
+ invocation.
+ There are good reasons for why applets are not marked as NOEXEC,
+ but for some usecases these reasons do not apply.
+
+ This feature extends the "exec prefers applets" feature.
+
config BUSYBOX_EXEC_PATH
string "Path to busybox executable"
default "/proc/self/exe"
diff --git a/include/busybox.h b/include/busybox.h
index 6a003d544..32da23c37 100644
--- a/include/busybox.h
+++ b/include/busybox.h
@@ -23,7 +23,11 @@ extern const uint8_t applet_install_loc[] ALIGN1;
|| ENABLE_FEATURE_SH_STANDALONE \
|| ENABLE_FEATURE_SH_NOFORK
# define APPLET_IS_NOFORK(i) (applet_flags[(i)/4] & (1 << (2 * ((i)%4))))
-# define APPLET_IS_NOEXEC(i) (applet_flags[(i)/4] & (1 << ((2 * ((i)%4))+1)))
+# if ENABLE_FEATURE_ALWAYS_NOEXEC
+# define APPLET_IS_NOEXEC(i) (applet_flags[(i)/4] & (1 << ((2 * ((i)%4))+1)))
+# else
+# define APPLET_IS_NOEXEC(i) 1
+# endif
#else
# define APPLET_IS_NOFORK(i) 0
# define APPLET_IS_NOEXEC(i) 0
Am I reading it wrong, or are the two branches of #if switched up perhaps?
Bence
_______________________________________________
busybox mailing list
[email protected]
https://lists.busybox.net/mailman/listinfo/busybox
