diff options
author | Denys Vlasenko | 2017-08-08 00:42:15 +0200 |
---|---|---|
committer | Denys Vlasenko | 2017-08-08 00:42:15 +0200 |
commit | 90ad4ba9db2927d6b616993cc27274bbc17d51a9 (patch) | |
tree | e9f88a91d273344022cb443ec11378b3d18326ac | |
parent | dbbc3f2e644c38e9b4993a674269478792195127 (diff) | |
download | busybox-90ad4ba9db2927d6b616993cc27274bbc17d51a9.zip busybox-90ad4ba9db2927d6b616993cc27274bbc17d51a9.tar.gz |
ipcalc,rdev: make NOEXEC
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
-rw-r--r-- | NOFORK_NOEXEC.lst | 23 | ||||
-rw-r--r-- | networking/ipcalc.c | 2 | ||||
-rw-r--r-- | util-linux/rdev.c | 2 |
3 files changed, 15 insertions, 12 deletions
diff --git a/NOFORK_NOEXEC.lst b/NOFORK_NOEXEC.lst index cd83ff1..98e1bff 100644 --- a/NOFORK_NOEXEC.lst +++ b/NOFORK_NOEXEC.lst @@ -7,6 +7,9 @@ changes state: e.g. environment, signal handlers leaks: does not free allocated memory or opened fds alloc+xfunc: xmalloc, then xfunc - leaks memory if xfunc dies open+xfunc: opens fd, then calls xfunc - fd is leaked if xfunc dies +talks to network/serial/etc: it's not known how long the delay can be, + it's reasonable to expect it might be many seconds + (even if usually it is not), so ^C has to work runner: sometimes may run for long(ish) time, and/or works with network: ^C has to work (cat BIGFILE, chmod -R, ftpget, nc) @@ -46,7 +49,7 @@ adduser - noexec. leaks adjtimex - NOFORK ar - runner arch - NOFORK -arp - runner, needs ^C: arp -n talks to DNS servers +arp - talks to network: arp -n queries DNS arping - longterm ash - interactive, longterm awk - noexec. runner @@ -62,13 +65,13 @@ bunzip2 - runner bzcat - runner bzip2 - runner cal - runner: cal -n9999 -cat - runner -chat - needs ^C to work +cat - runner: cat HUGEFILE +chat - longterm (when used as intended - talking to modem over stdin/out) chattr - noexec. runner chgrp - noexec. runner chmod - noexec. runner chown - noexec. runner -chpasswd - longterm (list of "user:password"s from stdin) +chpasswd - longterm? (list of "user:password"s from stdin) chpst - noexec. spawner chroot - noexec. spawner chrt - noexec. spawner @@ -99,7 +102,7 @@ diff - runner dirname - NOFORK dmesg - runner dnsd - daemon -dnsdomainname - noexec. needs ^C (may talk to DNS servers, which may be down) +dnsdomainname - noexec. talks to network (may query DNS) dos2unix - noexec. runner dpkg - runner du - runner @@ -156,7 +159,7 @@ hdparm - hardware head - noexec. runner hexdump - noexec. runner hostid - NOFORK -hostname - noexec. needs ^C (may talk to DNS servers, which may be down) +hostname - noexec. talks to network (hostname -d may query DNS) httpd - daemon hush - interactive, longterm hwclock - hardware (xioctl(RTC_RD_TIME)) @@ -177,7 +180,7 @@ ionice - noexec. spawner iostat - longterm: "iostat 1" runs indefinitely ip - noexec candidate ipaddr - noexec candidate -ipcalc - noexec candidate +ipcalc - noexec. ipcalc -h talks to network ipcrm - noexec candidate ipcs - noexec candidate iplink - noexec candidate @@ -278,8 +281,8 @@ pstree - noexec pwd - NOFORK pwdx - NOFORK raidautorun - noexec. very simple. leaks: open+xioctl -rdate - needs ^C (may talk to DNS servers, which may be down) -rdev - leaks: find_block_device -> readdir+xstrdup +rdate - talks to network +rdev - noexec. leaks: find_block_device -> readdir+xstrdup readlink - NOFORK readprofile - reads /boot/System.map and /proc/profile, better to free more memory by execing? realpath - NOFORK @@ -293,7 +296,7 @@ rev - runner rm - noexec. rm -i interactive rmdir - NOFORK rmmod - noexec -route - needs ^C (may talk to DNS servers, which may be down) +route - talks to network (may query DNS to convert IPs to names) rpm - runner rpm2cpio - runner rtcwake - longterm: puts system to sleep, optimizing this for speed is pointless diff --git a/networking/ipcalc.c b/networking/ipcalc.c index 9888a6f..4f192e0 100644 --- a/networking/ipcalc.c +++ b/networking/ipcalc.c @@ -31,7 +31,7 @@ //config: Adds the options hostname, prefix and silent to the output of //config: "ipcalc". -//applet:IF_IPCALC(APPLET(ipcalc, BB_DIR_BIN, BB_SUID_DROP)) +//applet:IF_IPCALC(APPLET_NOEXEC(ipcalc, ipcalc, BB_DIR_BIN, BB_SUID_DROP, ipcalc)) //kbuild:lib-$(CONFIG_IPCALC) += ipcalc.o diff --git a/util-linux/rdev.c b/util-linux/rdev.c index 2ffe076..7eb7413 100644 --- a/util-linux/rdev.c +++ b/util-linux/rdev.c @@ -14,7 +14,7 @@ //config: help //config: Print the device node associated with the filesystem mounted at '/'. -//applet:IF_RDEV(APPLET(rdev, BB_DIR_USR_SBIN, BB_SUID_DROP)) +//applet:IF_RDEV(APPLET_NOEXEC(rdev, rdev, BB_DIR_USR_SBIN, BB_SUID_DROP, rdev)) //kbuild:lib-$(CONFIG_RDEV) += rdev.o |