[RESEND PATCH v12 15/17] libbb: allow forcing all applets to behave as NOEXEC applets

Sat, 18 Oct 2025 07:20:43 -0700 

This patch adds an experimental configuration option to allow the
applet_execve function to treat all applets as if they were NOEXEC.

This is experimental, as noted in the configuration description.

Signed-off-by: Nadav Tasher <[email protected]>
---
 Config.in         | 12 ++++++++++++
 include/busybox.h |  6 +++++-
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/Config.in b/Config.in
index 9fd5f3d7c..7a8a98a73 100644
--- a/Config.in
+++ b/Config.in
@@ -331,6 +331,18 @@ config FEATURE_FORCE_APPLETS
 
        This feature extends the "exec prefers applets" feature.
 
+config FEATURE_ALWAYS_NOEXEC
+       bool "all applets support NOEXEC (experimental)"
+       default n
+       depends on FEATURE_PREFER_APPLETS && !NOMMU
+       help
+       This is an experimental option which makes all applets support NOEXEC
+       invocation.
+       There are good reasons for why applets are not marked as NOEXEC,
+       but for some usecases these reasons do not apply.
+
+       This feature extends the "exec prefers applets" feature.
+
 config BUSYBOX_EXEC_PATH
        string "Path to busybox executable"
        default "/proc/self/exe"
diff --git a/include/busybox.h b/include/busybox.h
index 6a003d544..4fed5627d 100644
--- a/include/busybox.h
+++ b/include/busybox.h
@@ -23,7 +23,11 @@ extern const uint8_t applet_install_loc[] ALIGN1;
  || ENABLE_FEATURE_SH_STANDALONE \
  || ENABLE_FEATURE_SH_NOFORK
 # define APPLET_IS_NOFORK(i) (applet_flags[(i)/4] & (1 << (2 * ((i)%4))))
-# define APPLET_IS_NOEXEC(i) (applet_flags[(i)/4] & (1 << ((2 * ((i)%4))+1)))
+# if ENABLE_FEATURE_ALWAYS_NOEXEC
+#  define APPLET_IS_NOEXEC(i) 1
+# else
+#  define APPLET_IS_NOEXEC(i) (applet_flags[(i)/4] & (1 << ((2 * ((i)%4))+1)))
+# endif
 #else
 # define APPLET_IS_NOFORK(i) 0
 # define APPLET_IS_NOEXEC(i) 0
-- 
2.43.0

_______________________________________________
busybox mailing list
[email protected]
https://lists.busybox.net/mailman/listinfo/busybox

Reply via email to