!158 the mayexec function no longer checks cmdline each time that verifies whether a script are allowed to run

From: @wangyuhang27 Reviewed-by: @HuaxinLuGitee, @shenyangyang01 Signed-off-by: @shenyangyang01
2024-11-18 13:16:31 +00:00 · 2024-11-18 13:16:31 +00:00 · 27c9557815
commit 27c9557815
parent 1ffb499638 d486c0c28b
2 changed files with 19 additions and 10 deletions
--- a/bash.spec
+++ b/bash.spec
@ -1,6 +1,8 @@
+%define enable_safecheck 1
+
 Name:     bash
 Version:  5.2.15
-Release:  10
+Release:  11
 Summary:  It is the Bourne Again Shell
 License:  GPLv3
 URL:      https://www.gnu.org/software/bash
@ -35,7 +37,9 @@ Patch6007: backport-renamed-several-functions-beginning-with-legal_-chan.patch
 Patch6008: backport-fix-for-cd-when-curent-directory-doesn-t-exist-fix-w.patch
 Patch6009: Fix-for-a-crash-if-one-of-the-expressions-in-an-arit.patch

+%if %{enable_safecheck}
 Patch9000: only-scripts-verified-by-execveat-are-allowed-to-run.patch
+%endif

 BuildRequires: gcc bison texinfo autoconf ncurses-devel
 # Required for bash tests
@ -164,6 +168,9 @@ make check
 %exclude %{_infodir}/dir

 %changelog
+* Fri Nov 15 2024 wangyuhang <wangyuhang27@huawei.com> -5.2.15-11
+- the mayexec function no longer checks cmdline each time that verifies whether a script are allowed to run
+
 * Fri Nov 15 2024 wangyuhang <wangyuhang27@huawei.com> -5.2.15-10
 - only scripts verified by execveat are allowed to run

--- a/only-scripts-verified-by-execveat-are-allowed-to-run.patch
+++ b/only-scripts-verified-by-execveat-are-allowed-to-run.patch
@ -4,13 +4,13 @@ Date: Fri, 15 Nov 2024 15:52:35 +0800
 Subject: [PATCH] only scripts verified by execveat are allowed to run

 ---
- builtins/common.c | 47 +++++++++++++++++++++++++++++++++++++++++++++++
+ builtins/common.c | 49 +++++++++++++++++++++++++++++++++++++++++++++++
 builtins/common.h |  7 +++++++
 shell.c           |  4 ++++
- 3 files changed, 58 insertions(+)
+ 3 files changed, 60 insertions(+)

 diff --git a/builtins/common.c b/builtins/common.c
-index 19b00c4..ba89d6e 100644
+index 19b00c4..287e6da 100644
 --- a/builtins/common.c
 +++ b/builtins/common.c
@@ -34,6 +34,7 @@
@ -21,7 +21,7 @@ index 19b00c4..ba89d6e 100644
 
 #if defined (PREFER_STDARG)
 #  include <stdarg.h>
-@@ -1129,3 +1130,49 @@ set_expand_once (nval, uwp)
+@@ -1129,3 +1130,51 @@ set_expand_once (nval, uwp)
   return oa;
 }
 #endif
@ -31,16 +31,19 @@ index 19b00c4..ba89d6e 100644
 +     const char *filename;
 +     int fd;
 +{
+    static int exec_check = -1;
 +    int ret = 0;
 +
-+    if (!proc_cmdline_get("exec_check.bash", "1"))
+    if (exec_check == -1)
+        exec_check = proc_cmdline_get("exec_check.bash", "1");
+
+    if (!exec_check)
 +        return 0;
 +
 +    ret = execveat(fd, "", NULL, NULL, AT_CHECK | AT_EMPTY_PATH);
 +    
-+    if (ret < 0) {
+    if (ret < 0)
 +        builtin_error (_("[%d] denied sourcing non-executable %s"), getpid(), filename);
-+    }
 +
 +    return ret;
 +}
@ -61,10 +64,9 @@ index 19b00c4..ba89d6e 100644
 +    }
 +
 +    if (getline(&line, &len, file) != -1) {
-+        if (strstr(line, search_string)) {
+        if (strstr(line, search_string))
 +            ret = 1;
 +    }
-+    }
 +
 +    free(line);
 +    fclose(file);