diff --git a/bin/sh/exec.c b/bin/sh/exec.c --- a/bin/sh/exec.c +++ b/bin/sh/exec.c @@ -418,7 +418,7 @@ if (!S_ISREG(statb.st_mode)) continue; if (opt) { /* this is a %func directory */ - readcmdfile(fullname); + readcmdfile(fullname, -1 /* verify */); if ((cmdp = cmdlookup(name, 0)) == NULL || cmdp->cmdtype != CMDFUNCTION) error("%s not defined in %s", name, fullname); stunalloc(fullname); diff --git a/bin/sh/histedit.c b/bin/sh/histedit.c --- a/bin/sh/histedit.c +++ b/bin/sh/histedit.c @@ -447,7 +447,7 @@ editcmd = stalloc(strlen(editor) + strlen(editfile) + 2); sprintf(editcmd, "%s %s", editor, editfile); evalstring(editcmd, 0); /* XXX - should use no JC command */ - readcmdfile(editfile); /* XXX - should read back - quick tst */ + readcmdfile(editfile, 0 /* verify */); /* XXX - should read back - quick tst */ unlink(editfile); } diff --git a/bin/sh/input.h b/bin/sh/input.h --- a/bin/sh/input.h +++ b/bin/sh/input.h @@ -53,7 +53,7 @@ int preadateof(void); void pungetc(void); void pushstring(const char *, int, struct alias *); -void setinputfile(const char *, int); +void setinputfile(const char *, int, int); void setinputfd(int, int); void setinputstring(const char *, int); void popfile(void); diff --git a/bin/sh/input.c b/bin/sh/input.c --- a/bin/sh/input.c +++ b/bin/sh/input.c @@ -352,17 +352,25 @@ /* * Set the input to take input from a file. If push is set, push the * old input onto the stack first. + * About verify: + * -1: Obey verifyflag + * 0: Do not verify + * 1: Do verify */ void -setinputfile(const char *fname, int push) +setinputfile(const char *fname, int push, int verify) { int e; int fd; int fd2; + int oflags = O_RDONLY | O_CLOEXEC; + + if (verify == 1 || (verify == -1 && verifyflag)) + oflags |= O_VERIFY; INTOFF; - if ((fd = open(fname, O_RDONLY | O_CLOEXEC)) < 0) { + if ((fd = open(fname, oflags)) < 0) { e = errno; errorwithstatus(e == ENOENT || e == ENOTDIR ? 127 : 126, "cannot open %s: %s", fname, strerror(e)); diff --git a/bin/sh/main.h b/bin/sh/main.h --- a/bin/sh/main.h +++ b/bin/sh/main.h @@ -39,4 +39,4 @@ extern int rootshell; /* true if we aren't a child of the main shell */ extern struct jmploc main_handler; /* top level exception handler */ -void readcmdfile(const char *); +void readcmdfile(const char *, int); diff --git a/bin/sh/main.c b/bin/sh/main.c --- a/bin/sh/main.c +++ b/bin/sh/main.c @@ -253,12 +253,16 @@ { int fd; const char *expandedname; + int oflags = O_RDONLY | O_CLOEXEC; + + if (verifyflag) + oflags |= O_VERIFY; expandedname = expandstr(name); if (expandedname == NULL) return; INTOFF; - if ((fd = open(expandedname, O_RDONLY | O_CLOEXEC)) >= 0) + if ((fd = open(expandedname, oflags)) >= 0) setinputfd(fd, 1); INTON; if (fd < 0) @@ -274,9 +278,9 @@ */ void -readcmdfile(const char *name) +readcmdfile(const char *name, int verify) { - setinputfile(name, 1); + setinputfile(name, 1, verify); cmdloop(0); popfile(); } @@ -331,7 +335,7 @@ filename = argc > 2 && strcmp(argv[1], "--") == 0 ? argv[2] : argv[1]; fullname = find_dot_file(filename); - setinputfile(fullname, 1); + setinputfile(fullname, 1, -1 /* verify */); commandname = fullname; cmdloop(0); popfile(); diff --git a/bin/sh/options.h b/bin/sh/options.h --- a/bin/sh/options.h +++ b/bin/sh/options.h @@ -68,9 +68,10 @@ #define hflag optval[18] #define nologflag optval[19] #define pipefailflag optval[20] +#define verifyflag optval[21] #define NSHORTOPTS 19 -#define NOPTS 21 +#define NOPTS 22 extern char optval[NOPTS]; extern const char optletter[NSHORTOPTS]; @@ -99,6 +100,7 @@ "\010trackall" "\005nolog" "\010pipefail" + "\006verify" ; #endif diff --git a/bin/sh/options.c b/bin/sh/options.c --- a/bin/sh/options.c +++ b/bin/sh/options.c @@ -112,7 +112,7 @@ arg0 = argv[0]; if (sflag == 0 && minusc == NULL) { scriptname = *argptr++; - setinputfile(scriptname, 0); + setinputfile(scriptname, 0, -1 /* verify */); commandname = arg0 = scriptname; } /* POSIX 1003.2: first arg after -c cmd is $0, remainder $1... */ diff --git a/bin/sh/sh.1 b/bin/sh/sh.1 --- a/bin/sh/sh.1 +++ b/bin/sh/sh.1 @@ -355,6 +355,11 @@ in the pipeline terminates with status 0 without reading its input completely. This option only has a long name. +.It Li verify +Set +.Dv O_VERIFY +when sourcing files or loading profiles. See also +.Xr mac_veriexec 4 . .El .Pp The