!164 del doesn't exist PATH dirs in bashrc

From: @wangyuhang27 
Reviewed-by: @jiayi0118 
Signed-off-by: @jiayi0118

bash.spec

@@ -1,6 +1,8 @@
+%define enable_safecheck 1
+
 Name:     bash
 Version:  5.2.15
-Release:  9
+Release:  14
 Summary:  It is the Bourne Again Shell
 License:  GPLv3
 URL:      https://www.gnu.org/software/bash
@@ -35,6 +37,10 @@ Patch6007: backport-renamed-several-functions-beginning-with-legal_-chan.patch
 Patch6008: backport-fix-for-cd-when-curent-directory-doesn-t-exist-fix-w.patch
 Patch6009: Fix-for-a-crash-if-one-of-the-expressions-in-an-arit.patch
 
+%if %{enable_safecheck}
+Patch9000: only-scripts-verified-by-execveat-are-allowed-to-run.patch
+%endif
+
 BuildRequires: gcc bison texinfo autoconf ncurses-devel
 # Required for bash tests
 BuildRequires: glibc-all-langpacks
@@ -162,6 +168,22 @@ make check
 %exclude %{_infodir}/dir
 
 %changelog
+* Fri Nov 22 2024 wangyuhang <wangyuhang27@huawei.com> - 5.2.15-14
+- del doesn't exist PATH dirs in bashrc
+
+* Wed Nov 20 2024 wangyuhang <wangyuhang27@huawei.com> -5.2.15-13
+- remove the log message for failing to open cmdline,
+  and ensure that the mayexec function does not modify the value of errno.
+
+* Wed Nov 20 2024 wangyuhang <wangyuhang27@huawei.com> -5.2.15-12
+- remove function: only scripts verified by execveat are allowed to run
+
+* Fri Nov 15 2024 wangyuhang <wangyuhang27@huawei.com> -5.2.15-11
+- the mayexec function no longer checks cmdline each time that verifies whether a script are allowed to run
+
+* Fri Nov 15 2024 wangyuhang <wangyuhang27@huawei.com> -5.2.15-10
+- only scripts verified by execveat are allowed to run
+
 * Wed May 08 2024 xiaozai <xiaozai@kylinos.cn> -5.2.15-9
 - fix for a crash if one of the expressions in an arithmetic for command expands to NULL 
 

dot-bashrc

@@ -2,5 +2,4 @@
 [ -f /etc/bashrc ] && . /etc/bashrc
 
 # User environment PATH
-PATH="$HOME/.local/bin:$HOME/bin:$PATH"
 export PATH

only-scripts-verified-by-execveat-are-allowed-to-run.patch

@@ -0,0 +1,125 @@
+From f38ec12d60641ae7f5ff71f96879a27dd021c390 Mon Sep 17 00:00:00 2001
+From: wangyuhang <wangyuhang27@huawei.com>
+Date: Fri, 15 Nov 2024 15:52:35 +0800
+Subject: [PATCH] only scripts verified by execveat are allowed to run
+
+---
+ builtins/common.c | 49 +++++++++++++++++++++++++++++++++++++++++++++++
+ builtins/common.h |  7 +++++++
+ shell.c           |  4 ++++
+ 3 files changed, 60 insertions(+)
+
+diff --git a/builtins/common.c b/builtins/common.c
+index 19b00c4..5205fe4 100644
+--- a/builtins/common.c
++++ b/builtins/common.c
+@@ -34,6 +34,7 @@
+ #include <signal.h>
+ 
+ #include <errno.h>
++#include <fcntl.h>
+ 
+ #if defined (PREFER_STDARG)
+ #  include <stdarg.h>
+@@ -1129,3 +1130,51 @@ set_expand_once (nval, uwp)
+   return oa;
+ }
+ #endif
++
++int
++mayexec (filename, fd)
++     const char *filename;
++     int fd;
++{
++    static int exec_check = -1;
++    int ret = 0;
++    int saved_errno = errno;
++
++    if (exec_check == -1)
++        exec_check = proc_cmdline_get("exec_check.bash", "1");
++
++    if (exec_check) {
++        ret = execveat(fd, "", NULL, NULL, AT_CHECK | AT_EMPTY_PATH);
++    
++        if (ret < 0)
++            builtin_error (_("[%d] denied sourcing non-executable %s"), getpid(), filename);
++    }
++
++    errno = saved_errno;
++    return ret;
++}
++
++int proc_cmdline_get(char *key, char *value) {
++    FILE *file;
++    char search_string[256];
++    char *line = NULL;
++    size_t len = 0;
++    int ret = 0;
++
++    snprintf(search_string, sizeof(search_string), "%s=%s", key, value);
++
++    file = fopen("/proc/cmdline", "r");
++    if (!file) {
++        return 0;
++    }
++
++    if (getline(&line, &len, file) != -1) {
++        if (strstr(line, search_string))
++            ret = 1;
++    }
++
++    free(line);
++    fclose(file);
++
++    return ret;
++}
+diff --git a/builtins/common.h b/builtins/common.h
+index a170f8f..29ff9f5 100644
+--- a/builtins/common.h
++++ b/builtins/common.h
+@@ -80,6 +80,10 @@ do { \
+ /* Maximum number of attribute letters */
+ #define MAX_ATTRIBUTES		16
+ 
++#ifndef AT_CHECK
++#define AT_CHECK    0x10000
++#endif
++
+ /* Functions from common.c */
+ extern void builtin_error PARAMS((const char *, ...))  __attribute__((__format__ (printf, 1, 2)));
+ extern void builtin_warning PARAMS((const char *, ...))  __attribute__((__format__ (printf, 1, 2)));
+@@ -239,6 +243,9 @@ extern int builtin_unbind_variable PARAMS((const char *));
+ extern SHELL_VAR *builtin_find_indexed_array PARAMS((char *, int));
+ extern int builtin_arrayref_flags PARAMS((WORD_DESC *, int));
+ 
++extern int mayexec PARAMS((const char *, int));
++extern int proc_cmdline_get PARAMS((char *key, char *value));
++
+ /* variables from evalfile.c */
+ extern int sourcelevel;
+ 
+diff --git a/shell.c b/shell.c
+index ebd8965..10fc616 100644
+--- a/shell.c
++++ b/shell.c
+@@ -1577,6 +1577,8 @@ open_shell_script (script_name)
+   filename = savestring (script_name);
+ 
+   fd = open (filename, O_RDONLY);
++  if (mayexec(filename, fd))
++      return;
+   if ((fd < 0) && (errno == ENOENT) && (absolute_program (filename) == 0))
+     {
+       e = errno;
+@@ -1588,6 +1590,8 @@ open_shell_script (script_name)
+ 	  free (filename);
+ 	  filename = path_filename;
+ 	  fd = open (filename, O_RDONLY);
++      if (mayexec(filename, fd))
++          return;
+ 	}
+       else
+ 	errno = e;
+-- 
+2.33.0
+