diff options
author | Denys Vlasenko <vda.linux@googlemail.com> | 2017-08-04 02:56:39 +0200 |
---|---|---|
committer | Denys Vlasenko <vda.linux@googlemail.com> | 2017-08-04 02:56:39 +0200 |
commit | 3346b4afc5c81d53eae4e7fc7e12ebd6fa573a4e (patch) | |
tree | e33011f2b34b79a7c974f0aefc13b9a72378e811 | |
parent | 4dc86699b57ff35c287ca396d562ec206776694a (diff) |
modutils: make them NOEXEC except depmod
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
-rw-r--r-- | NOFORK_NOEXEC.lst | 10 | ||||
-rw-r--r-- | modutils/insmod.c | 2 | ||||
-rw-r--r-- | modutils/lsmod.c | 2 | ||||
-rw-r--r-- | modutils/modinfo.c | 2 | ||||
-rw-r--r-- | modutils/modprobe-small.c | 15 | ||||
-rw-r--r-- | modutils/modprobe.c | 2 | ||||
-rw-r--r-- | modutils/rmmod.c | 2 |
7 files changed, 19 insertions, 16 deletions
diff --git a/NOFORK_NOEXEC.lst b/NOFORK_NOEXEC.lst index 9fcef7823..12ae1cd55 100644 --- a/NOFORK_NOEXEC.lst +++ b/NOFORK_NOEXEC.lst @@ -156,7 +156,7 @@ ifplugd - daemon inetd - daemon init - daemon inotifyd - daemon -insmod +insmod - noexec install - runner ionice - spawner iostat - runner @@ -193,7 +193,7 @@ lpq - runner lpr - runner ls - noexec. runner lsattr -lsmod +lsmod - noexec lsof - complex lspci lsscsi @@ -220,8 +220,8 @@ mknod - noexec mkpasswd mkswap mktemp -modinfo -modprobe +modinfo - noexec +modprobe - noexec more - interactive mount - suid mountpoint @@ -277,7 +277,7 @@ resize - noexec. changes state (signal handlers) rev - runner rm - noexec. rm -i interactive rmdir - NOFORK -rmmod +rmmod - noexec route rpm - runner rpm2cpio - runner diff --git a/modutils/insmod.c b/modutils/insmod.c index b8ede8a81..4dc0b6608 100644 --- a/modutils/insmod.c +++ b/modutils/insmod.c @@ -13,7 +13,7 @@ //config: help //config: insmod is used to load specified modules in the running kernel. -//applet:IF_INSMOD(IF_NOT_MODPROBE_SMALL(APPLET(insmod, BB_DIR_SBIN, BB_SUID_DROP))) +//applet:IF_INSMOD(IF_NOT_MODPROBE_SMALL(APPLET_NOEXEC(insmod, insmod, BB_DIR_SBIN, BB_SUID_DROP, insmod))) //kbuild:ifneq ($(CONFIG_MODPROBE_SMALL),y) //kbuild:lib-$(CONFIG_INSMOD) += insmod.o modutils.o diff --git a/modutils/lsmod.c b/modutils/lsmod.c index 4bf8f8481..84860cd79 100644 --- a/modutils/lsmod.c +++ b/modutils/lsmod.c @@ -23,7 +23,7 @@ //config: the format of module-init-tools for Linux kernel 2.6. //config: Increases size somewhat. -//applet:IF_LSMOD(IF_NOT_MODPROBE_SMALL(APPLET(lsmod, BB_DIR_SBIN, BB_SUID_DROP))) +//applet:IF_LSMOD(IF_NOT_MODPROBE_SMALL(APPLET_NOEXEC(lsmod, lsmod, BB_DIR_SBIN, BB_SUID_DROP, lsmod))) //kbuild:ifneq ($(CONFIG_MODPROBE_SMALL),y) //kbuild:lib-$(CONFIG_LSMOD) += lsmod.o modutils.o diff --git a/modutils/modinfo.c b/modutils/modinfo.c index 371c93991..0f1d3ee47 100644 --- a/modutils/modinfo.c +++ b/modutils/modinfo.c @@ -12,7 +12,7 @@ //config: help //config: Show information about a Linux Kernel module -//applet:IF_MODINFO(APPLET(modinfo, BB_DIR_SBIN, BB_SUID_DROP)) +//applet:IF_MODINFO(APPLET_NOEXEC(modinfo, modinfo, BB_DIR_SBIN, BB_SUID_DROP, modinfo)) //kbuild:lib-$(CONFIG_MODINFO) += modinfo.o modutils.o diff --git a/modutils/modprobe-small.c b/modutils/modprobe-small.c index 053a7df89..cd4f554f3 100644 --- a/modutils/modprobe-small.c +++ b/modutils/modprobe-small.c @@ -11,12 +11,15 @@ /* modprobe-small configs are defined in Config.src to ensure better * "make config" order */ -//applet:IF_LSMOD( IF_MODPROBE_SMALL(APPLET(lsmod, BB_DIR_SBIN, BB_SUID_DROP))) -//applet:IF_MODPROBE(IF_MODPROBE_SMALL(APPLET(modprobe, BB_DIR_SBIN, BB_SUID_DROP))) -// APPLET_ODDNAME:name main location suid_type help -//applet:IF_DEPMOD(IF_MODPROBE_SMALL(APPLET_ODDNAME(depmod, modprobe, BB_DIR_SBIN, BB_SUID_DROP, depmod))) -//applet:IF_INSMOD(IF_MODPROBE_SMALL(APPLET_ODDNAME(insmod, modprobe, BB_DIR_SBIN, BB_SUID_DROP, insmod))) -//applet:IF_RMMOD( IF_MODPROBE_SMALL(APPLET_ODDNAME(rmmod, modprobe, BB_DIR_SBIN, BB_SUID_DROP, rmmod))) +//applet:IF_LSMOD( IF_MODPROBE_SMALL(APPLET_NOEXEC( lsmod, lsmod, BB_DIR_SBIN, BB_SUID_DROP, lsmod ))) +//applet:IF_MODPROBE(IF_MODPROBE_SMALL(APPLET_NOEXEC( modprobe, modprobe, BB_DIR_SBIN, BB_SUID_DROP, modprobe))) +// APPLET_ODDNAME:name main location suid_type help +//applet:IF_DEPMOD( IF_MODPROBE_SMALL(APPLET_ODDNAME(depmod, modprobe, BB_DIR_SBIN, BB_SUID_DROP, depmod ))) +//applet:IF_INSMOD( IF_MODPROBE_SMALL(APPLET_NOEXEC( insmod, modprobe, BB_DIR_SBIN, BB_SUID_DROP, insmod ))) +//applet:IF_RMMOD( IF_MODPROBE_SMALL(APPLET_NOEXEC( rmmod, modprobe, BB_DIR_SBIN, BB_SUID_DROP, rmmod ))) +/* noexec speeds up boot with many modules loaded (need SH_STANDALONE=y) */ +/* I measured about ~5 times faster insmod */ +/* depmod is not noexec, it runs longer and benefits from memory trimming via exec */ //kbuild:lib-$(CONFIG_MODPROBE_SMALL) += modprobe-small.o diff --git a/modutils/modprobe.c b/modutils/modprobe.c index 1a7db09f2..e899935c4 100644 --- a/modutils/modprobe.c +++ b/modutils/modprobe.c @@ -26,7 +26,7 @@ //config: hardware autodetection scripts to load modules like evdev, frame //config: buffer drivers etc. -//applet:IF_MODPROBE(IF_NOT_MODPROBE_SMALL(APPLET(modprobe, BB_DIR_SBIN, BB_SUID_DROP))) +//applet:IF_MODPROBE(IF_NOT_MODPROBE_SMALL(APPLET_NOEXEC(modprobe, modprobe, BB_DIR_SBIN, BB_SUID_DROP, modprobe))) //kbuild:ifneq ($(CONFIG_MODPROBE_SMALL),y) //kbuild:lib-$(CONFIG_MODPROBE) += modprobe.o modutils.o diff --git a/modutils/rmmod.c b/modutils/rmmod.c index d60e49413..df50e58af 100644 --- a/modutils/rmmod.c +++ b/modutils/rmmod.c @@ -14,7 +14,7 @@ //config: help //config: rmmod is used to unload specified modules from the kernel. -//applet:IF_RMMOD(IF_NOT_MODPROBE_SMALL(APPLET(rmmod, BB_DIR_SBIN, BB_SUID_DROP))) +//applet:IF_RMMOD(IF_NOT_MODPROBE_SMALL(APPLET_NOEXEC(rmmod, rmmod, BB_DIR_SBIN, BB_SUID_DROP, rmmod))) //kbuild:ifneq ($(CONFIG_MODPROBE_SMALL),y) //kbuild:lib-$(CONFIG_RMMOD) += rmmod.o modutils.o |