ipcalc,rdev: make NOEXEC

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
This commit is contained in:
Denys Vlasenko 2017-08-08 00:42:15 +02:00
parent dbbc3f2e64
commit 90ad4ba9db
3 changed files with 15 additions and 12 deletions

View File

@ -7,6 +7,9 @@ changes state: e.g. environment, signal handlers
leaks: does not free allocated memory or opened fds leaks: does not free allocated memory or opened fds
alloc+xfunc: xmalloc, then xfunc - leaks memory if xfunc dies alloc+xfunc: xmalloc, then xfunc - leaks memory if xfunc dies
open+xfunc: opens fd, then calls xfunc - fd is leaked if xfunc dies open+xfunc: opens fd, then calls xfunc - fd is leaked if xfunc dies
talks to network/serial/etc: it's not known how long the delay can be,
it's reasonable to expect it might be many seconds
(even if usually it is not), so ^C has to work
runner: sometimes may run for long(ish) time, and/or works with network: runner: sometimes may run for long(ish) time, and/or works with network:
^C has to work (cat BIGFILE, chmod -R, ftpget, nc) ^C has to work (cat BIGFILE, chmod -R, ftpget, nc)
@ -46,7 +49,7 @@ adduser - noexec. leaks
adjtimex - NOFORK adjtimex - NOFORK
ar - runner ar - runner
arch - NOFORK arch - NOFORK
arp - runner, needs ^C: arp -n talks to DNS servers arp - talks to network: arp -n queries DNS
arping - longterm arping - longterm
ash - interactive, longterm ash - interactive, longterm
awk - noexec. runner awk - noexec. runner
@ -62,13 +65,13 @@ bunzip2 - runner
bzcat - runner bzcat - runner
bzip2 - runner bzip2 - runner
cal - runner: cal -n9999 cal - runner: cal -n9999
cat - runner cat - runner: cat HUGEFILE
chat - needs ^C to work chat - longterm (when used as intended - talking to modem over stdin/out)
chattr - noexec. runner chattr - noexec. runner
chgrp - noexec. runner chgrp - noexec. runner
chmod - noexec. runner chmod - noexec. runner
chown - noexec. runner chown - noexec. runner
chpasswd - longterm (list of "user:password"s from stdin) chpasswd - longterm? (list of "user:password"s from stdin)
chpst - noexec. spawner chpst - noexec. spawner
chroot - noexec. spawner chroot - noexec. spawner
chrt - noexec. spawner chrt - noexec. spawner
@ -99,7 +102,7 @@ diff - runner
dirname - NOFORK dirname - NOFORK
dmesg - runner dmesg - runner
dnsd - daemon dnsd - daemon
dnsdomainname - noexec. needs ^C (may talk to DNS servers, which may be down) dnsdomainname - noexec. talks to network (may query DNS)
dos2unix - noexec. runner dos2unix - noexec. runner
dpkg - runner dpkg - runner
du - runner du - runner
@ -156,7 +159,7 @@ hdparm - hardware
head - noexec. runner head - noexec. runner
hexdump - noexec. runner hexdump - noexec. runner
hostid - NOFORK hostid - NOFORK
hostname - noexec. needs ^C (may talk to DNS servers, which may be down) hostname - noexec. talks to network (hostname -d may query DNS)
httpd - daemon httpd - daemon
hush - interactive, longterm hush - interactive, longterm
hwclock - hardware (xioctl(RTC_RD_TIME)) hwclock - hardware (xioctl(RTC_RD_TIME))
@ -177,7 +180,7 @@ ionice - noexec. spawner
iostat - longterm: "iostat 1" runs indefinitely iostat - longterm: "iostat 1" runs indefinitely
ip - noexec candidate ip - noexec candidate
ipaddr - noexec candidate ipaddr - noexec candidate
ipcalc - noexec candidate ipcalc - noexec. ipcalc -h talks to network
ipcrm - noexec candidate ipcrm - noexec candidate
ipcs - noexec candidate ipcs - noexec candidate
iplink - noexec candidate iplink - noexec candidate
@ -278,8 +281,8 @@ pstree - noexec
pwd - NOFORK pwd - NOFORK
pwdx - NOFORK pwdx - NOFORK
raidautorun - noexec. very simple. leaks: open+xioctl raidautorun - noexec. very simple. leaks: open+xioctl
rdate - needs ^C (may talk to DNS servers, which may be down) rdate - talks to network
rdev - leaks: find_block_device -> readdir+xstrdup rdev - noexec. leaks: find_block_device -> readdir+xstrdup
readlink - NOFORK readlink - NOFORK
readprofile - reads /boot/System.map and /proc/profile, better to free more memory by execing? readprofile - reads /boot/System.map and /proc/profile, better to free more memory by execing?
realpath - NOFORK realpath - NOFORK
@ -293,7 +296,7 @@ rev - runner
rm - noexec. rm -i interactive rm - noexec. rm -i interactive
rmdir - NOFORK rmdir - NOFORK
rmmod - noexec rmmod - noexec
route - needs ^C (may talk to DNS servers, which may be down) route - talks to network (may query DNS to convert IPs to names)
rpm - runner rpm - runner
rpm2cpio - runner rpm2cpio - runner
rtcwake - longterm: puts system to sleep, optimizing this for speed is pointless rtcwake - longterm: puts system to sleep, optimizing this for speed is pointless

View File

@ -31,7 +31,7 @@
//config: Adds the options hostname, prefix and silent to the output of //config: Adds the options hostname, prefix and silent to the output of
//config: "ipcalc". //config: "ipcalc".
//applet:IF_IPCALC(APPLET(ipcalc, BB_DIR_BIN, BB_SUID_DROP)) //applet:IF_IPCALC(APPLET_NOEXEC(ipcalc, ipcalc, BB_DIR_BIN, BB_SUID_DROP, ipcalc))
//kbuild:lib-$(CONFIG_IPCALC) += ipcalc.o //kbuild:lib-$(CONFIG_IPCALC) += ipcalc.o

View File

@ -14,7 +14,7 @@
//config: help //config: help
//config: Print the device node associated with the filesystem mounted at '/'. //config: Print the device node associated with the filesystem mounted at '/'.
//applet:IF_RDEV(APPLET(rdev, BB_DIR_USR_SBIN, BB_SUID_DROP)) //applet:IF_RDEV(APPLET_NOEXEC(rdev, rdev, BB_DIR_USR_SBIN, BB_SUID_DROP, rdev))
//kbuild:lib-$(CONFIG_RDEV) += rdev.o //kbuild:lib-$(CONFIG_RDEV) += rdev.o