nameif: make it NOEXEC

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-08-06 14:15:24 +02:00 · 2017-08-06 14:15:24 +02:00 · a759b22c29
commit a759b22c29
parent fbecca1bed
3 changed files with 4 additions and 3 deletions
--- a/NOFORK_NOEXEC.lst
+++ b/NOFORK_NOEXEC.lst
@ -237,10 +237,10 @@ modprobe - noexec
 more - interactive, longterm
 mount - suid
 mountpoint - noexec. leaks: option -n "print dev name": find_block_device -> readdir+xstrdup
-mpstat - noexec candidate (it's a measuring tool, putting less load by itself is good), complex
+mpstat - longterm: "mpstat 1" runs indefinitely
 mt - rare
 mv - noexec candidate, runner
-nameif - leaks: config_open2+ioctl_or_perror_and_die
+nameif - noexec. openlog(), leaks: config_open2+ioctl_or_perror_and_die
 nbd-client
 nc - runner
 netstat - runner with -c
--- a/networking/nameif.c
+++ b/networking/nameif.c
@ -40,7 +40,7 @@
 //config:		new_interface_name  mac=00:80:C8:38:91:B5
 //config:		new_interface_name  00:80:C8:38:91:B5

-//applet:IF_NAMEIF(APPLET(nameif, BB_DIR_SBIN, BB_SUID_DROP))
+//applet:IF_NAMEIF(APPLET_NOEXEC(nameif, nameif, BB_DIR_SBIN, BB_SUID_DROP, nameif))

 //kbuild:lib-$(CONFIG_NAMEIF) += nameif.o

--- a/procps/mpstat.c
+++ b/procps/mpstat.c
@ -8,6 +8,7 @@
 */

 //applet:IF_MPSTAT(APPLET(mpstat, BB_DIR_BIN, BB_SUID_DROP))
+/* shouldn't be noexec: "mpstat INTERVAL" runs indefinitely */

 //kbuild:lib-$(CONFIG_MPSTAT) += mpstat.o