chvt, deallocvt, dumpkmap, fgconsole, loadkmap: make them NOEXEC

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-08-05 02:02:31 +02:00 · 2017-08-05 02:02:31 +02:00 · ff53bee723
commit ff53bee723
parent fdb92359e4
6 changed files with 10 additions and 10 deletions
--- a/NOFORK_NOEXEC.lst
+++ b/NOFORK_NOEXEC.lst
@ -69,7 +69,7 @@ chpasswd - runner (list of "user:password"s from stdin)
 chpst - noexec. spawner
 chroot - noexec. spawner
 chrt - noexec. spawner
-chvt - leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds. Also, "rare" category. noexec candidate.
+chvt - noexec. leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds
 cksum - noexec. runner
 clear - NOFORK
 cmp - runner
@ -85,7 +85,7 @@ cut - noexec. runner
 date - noexec. nofork candidate(needs to stop messing up env, free xasprintf result, not use xfuncs after xasprintf)
 dc - runner (eats stdin if no params)
 dd - noexec. runner
-deallocvt - leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds. Also, "rare" category. noexec candidate.
+deallocvt - noexec. leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds
 delgroup
 deluser
 depmod - complex, rare
@ -100,7 +100,7 @@ dnsdomainname - needs ^C (may talk to DNS servers, which may be down)
 dos2unix - noexec. runner
 dpkg - runner
 du - runner
-dumpkmap - leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds. Also, "rare" category. noexec candidate.
+dumpkmap - noexec. leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds
 dumpleases - leaks: open+xread
 echo - NOFORK
 ed - interactive, longterm
@ -120,7 +120,7 @@ fbsplash - runner, longterm
 fdflush - leaks: open+ioctl_or_perror_and_die, needs ^C (floppy may be unresponsive), rare
 fdformat - needs ^C (floppy may be unresponsive), longterm, rare
 fdisk - interactive, longterm
-fgconsole - leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds. Also, "rare" category. noexec candidate.
+fgconsole - noexec. leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds
 fgrep - longterm runner ("CMD | fgrep ..."  may run indefinitely, better to exec to conserve memory)
 find - noexec. runner
 findfs - suid
@ -195,7 +195,7 @@ linux64 - noexec. spawner
 linuxrc - daemon
 ln - noexec
 loadfont - leaks: config_open+bb_error_msg_and_die("map format")
-loadkmap - leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds. Also, "rare" category. noexec candidate.
+loadkmap - noexec. leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds
 logger - runner
 login - suid, interactive, longterm
 logname - NOFORK
--- a/console-tools/chvt.c
+++ b/console-tools/chvt.c
@ -14,7 +14,7 @@
 //config:	This program is used to change to another terminal.
 //config:	Example: chvt 4 (change to terminal /dev/tty4)

-//applet:IF_CHVT(APPLET(chvt, BB_DIR_USR_BIN, BB_SUID_DROP))
+//applet:IF_CHVT(APPLET_NOEXEC(chvt, chvt, BB_DIR_USR_BIN, BB_SUID_DROP, chvt))

 //kbuild:lib-$(CONFIG_CHVT) += chvt.o

--- a/console-tools/deallocvt.c
+++ b/console-tools/deallocvt.c
@ -14,7 +14,7 @@
 //config:	help
 //config:	This program deallocates unused virtual consoles.

-//applet:IF_DEALLOCVT(APPLET(deallocvt, BB_DIR_USR_BIN, BB_SUID_DROP))
+//applet:IF_DEALLOCVT(APPLET_NOEXEC(deallocvt, deallocvt, BB_DIR_USR_BIN, BB_SUID_DROP, deallocvt))

 //kbuild:lib-$(CONFIG_DEALLOCVT) += deallocvt.o

--- a/console-tools/dumpkmap.c
+++ b/console-tools/dumpkmap.c
@ -15,7 +15,7 @@
 //config:	This program dumps the kernel's keyboard translation table to
 //config:	stdout, in binary format. You can then use loadkmap to load it.

-//applet:IF_DUMPKMAP(APPLET(dumpkmap, BB_DIR_BIN, BB_SUID_DROP))
+//applet:IF_DUMPKMAP(APPLET_NOEXEC(dumpkmap, dumpkmap, BB_DIR_BIN, BB_SUID_DROP, dumpkmap))

 //kbuild:lib-$(CONFIG_DUMPKMAP) += dumpkmap.o

--- a/console-tools/fgconsole.c
+++ b/console-tools/fgconsole.c
@ -13,7 +13,7 @@
 //config:	help
 //config:	This program prints active (foreground) console number.

-//applet:IF_FGCONSOLE(APPLET(fgconsole, BB_DIR_USR_BIN, BB_SUID_DROP))
+//applet:IF_FGCONSOLE(APPLET_NOEXEC(fgconsole, fgconsole, BB_DIR_USR_BIN, BB_SUID_DROP, fgconsole))

 //kbuild:lib-$(CONFIG_FGCONSOLE) += fgconsole.o

--- a/console-tools/loadkmap.c
+++ b/console-tools/loadkmap.c
@ -14,7 +14,7 @@
 //config:	This program loads a keyboard translation table from
 //config:	standard input.

-//applet:IF_LOADKMAP(APPLET(loadkmap, BB_DIR_SBIN, BB_SUID_DROP))
+//applet:IF_LOADKMAP(APPLET_NOEXEC(loadkmap, loadkmap, BB_DIR_SBIN, BB_SUID_DROP, loadkmap))

 //kbuild:lib-$(CONFIG_LOADKMAP) += loadkmap.o