From 6ccd30ee3be03bc81bfb31979bd5704bb1d3ebf2 Mon Sep 17 00:00:00 2001
From: "Hui, Chunyang" <sanqian.hcy@antfin.com>
Date: Wed, 17 Jun 2020 05:28:36 +0000
Subject: [PATCH] Remove fish and busybox binaries from entrypoints to make it
 more secure

---
 demos/fish/README.md        |  7 +++++++
 demos/fish/fish_script.sh   |  2 +-
 demos/fish/run_fish_test.sh | 15 ++++++++-------
 3 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/demos/fish/README.md b/demos/fish/README.md
index e7f2d537..59201c21 100644
--- a/demos/fish/README.md
+++ b/demos/fish/README.md
@@ -21,6 +21,13 @@ inside Occlum. `echo`, `awk`, `cat` here are actually symbolic files linked to b
 to write `busybox` prefix. The `command` keyword tells FISH that `echo` is an external command because FISH also provides
 builtin `echo` command.
 
+The script can be executed by Occlum directly as shown below:
+```
+occlum run /bin/fish_script.sh
+```
+As demonstrated here, Occlum supports executing any script file that begins with a [shebang](https://en.wikipedia.org/wiki/Shebang_(Unix))
+at its first line by invoking the interpreter program specified with the shebang.
+
 ## Step 1:
 Downlaod FISH and busybox and build them with Occlum tool chain:
 ```
diff --git a/demos/fish/fish_script.sh b/demos/fish/fish_script.sh
index e500d5e3..aa3fcfad 100644
--- a/demos/fish/fish_script.sh
+++ b/demos/fish/fish_script.sh
@@ -1,3 +1,3 @@
-#! /bin/fish
+#! /usr/bin/fish
 command echo "Hello-world-from-fish" | awk '$1=$1' FS="-" OFS=" " > /root/output.txt
 cat /root/output.txt
diff --git a/demos/fish/run_fish_test.sh b/demos/fish/run_fish_test.sh
index 60ea02f7..5176849c 100755
--- a/demos/fish/run_fish_test.sh
+++ b/demos/fish/run_fish_test.sh
@@ -4,16 +4,17 @@ set -e
 rm -rf occlum-context
 mkdir occlum-context && cd occlum-context
 occlum init
+mkdir -p image/usr/bin
 cp ../Occlum.json .
-cp ../fish-shell/build/fish image/bin
-cp ../busybox/busybox image/bin
-cp ../fish_script.sh image
+cp ../fish-shell/build/fish image/usr/bin
+cp ../busybox/busybox image/usr/bin
+cp ../fish_script.sh image/bin
 pushd image/bin
-ln -s /bin/busybox cat
-ln -s /bin/busybox echo
-ln -s /bin/busybox awk
+ln -s /usr/bin/busybox cat
+ln -s /usr/bin/busybox echo
+ln -s /usr/bin/busybox awk
 popd
 
 occlum build
 echo -e "\nBuild done. Running fish script ..."
-occlum run /bin/fish /fish_script.sh
+occlum run /bin/fish_script.sh