Re: [PATCH v11 16/17] libbb: allow forcing all applets to behave as NOEXEC applets

Wed, 25 Jun 2025 15:21:15 -0700 

On Wed, Jun 25, 2025 at 11:57:24AM +0200, Csókás Bence wrote:
> Hi,
> 
> On 2025. 06. 14. 18:10, Nadav Tasher wrote:
> > This patch adds an experimental configuration option to allow the
> > applet_execve function to treat all applets as if they were NOEXEC.
> > 
> > This is experimental, as noted in the configuration description.
> > 
> > Signed-off-by: Nadav Tasher <tasherna...@gmail.com>
> > ---
> >   Config.in         | 12 ++++++++++++
> >   include/busybox.h |  6 +++++-
> >   2 files changed, 17 insertions(+), 1 deletion(-)
> > 
> > diff --git a/Config.in b/Config.in
> > index 9fd5f3d7c..7a8a98a73 100644
> > --- a/Config.in
> > +++ b/Config.in
> > @@ -331,6 +331,18 @@ config FEATURE_FORCE_APPLETS
> >     This feature extends the "exec prefers applets" feature.
> > +config FEATURE_ALWAYS_NOEXEC
> > +   bool "all applets support NOEXEC (experimental)"
> > +   default n
> > +   depends on FEATURE_PREFER_APPLETS && !NOMMU
> > +   help
> > +   This is an experimental option which makes all applets support NOEXEC
> > +   invocation.
> > +   There are good reasons for why applets are not marked as NOEXEC,
> > +   but for some usecases these reasons do not apply.
> > +
> > +   This feature extends the "exec prefers applets" feature.
> > +
> >   config BUSYBOX_EXEC_PATH
> >     string "Path to busybox executable"
> >     default "/proc/self/exe"
> > diff --git a/include/busybox.h b/include/busybox.h
> > index 6a003d544..32da23c37 100644
> > --- a/include/busybox.h
> > +++ b/include/busybox.h
> > @@ -23,7 +23,11 @@ extern const uint8_t applet_install_loc[] ALIGN1;
> >    || ENABLE_FEATURE_SH_STANDALONE \
> >    || ENABLE_FEATURE_SH_NOFORK
> >   # define APPLET_IS_NOFORK(i) (applet_flags[(i)/4] & (1 << (2 * ((i)%4))))
> > -# define APPLET_IS_NOEXEC(i) (applet_flags[(i)/4] & (1 << ((2 * 
> > ((i)%4))+1)))
> > +# if ENABLE_FEATURE_ALWAYS_NOEXEC
> > +#  define APPLET_IS_NOEXEC(i) (applet_flags[(i)/4] & (1 << ((2 * 
> > ((i)%4))+1)))
> > +# else
> > +#  define APPLET_IS_NOEXEC(i) 1
> > +# endif
> >   #else
> >   # define APPLET_IS_NOFORK(i) 0
> >   # define APPLET_IS_NOEXEC(i) 0
> 
> Am I reading it wrong, or are the two branches of #if switched up perhaps?
> 
> Bence
> 
Great catch, forgot to stage this change after testing.

Thanks!

_______________________________________________
busybox mailing list
busybox@busybox.net
https://lists.busybox.net/mailman/listinfo/busybox

Reply via email to