diff options
-rw-r--r-- | NOFORK_NOEXEC.lst | 72 | ||||
-rw-r--r-- | coreutils/who.c | 8 | ||||
-rw-r--r-- | miscutils/i2c_tools.c | 1 | ||||
-rw-r--r-- | procps/uptime.c | 2 | ||||
-rw-r--r-- | util-linux/renice.c | 2 |
5 files changed, 44 insertions, 41 deletions
diff --git a/NOFORK_NOEXEC.lst b/NOFORK_NOEXEC.lst index 981a10192..70f38d867 100644 --- a/NOFORK_NOEXEC.lst +++ b/NOFORK_NOEXEC.lst @@ -4,9 +4,9 @@ Why can't be NOFORK: interactive: may wait for user input, ^C has to work spawner: "tool PROG ARGS" which changes program state and execs - must fork changes state: e.g. environment, signal handlers -alloc+xfunc: xmalloc, then xfunc - leaks memory if xfunc dies -open+xfunc: opens fd, then calls xfunc - fd is leaked if xfunc dies leaks: does not free allocated memory or opened fds + alloc+xfunc: xmalloc, then xfunc - leaks memory if xfunc dies + open+xfunc: opens fd, then calls xfunc - fd is leaked if xfunc dies runner: sometimes may run for long(ish) time, and/or works with network: ^C has to work (cat BIGFILE, chmod -R, ftpget, nc) @@ -25,6 +25,8 @@ longterm: often runs for a long time (many seconds), execing makes complex: no immediately obvious reason why NOFORK wouldn't work, but does some non-obvoius operations (example: fuser, lsof, losetup); detailed audit often turns out that it's a leaker +hardware: performs unusual hardware ops which may take long, + or even hang due to hardware or firmware bugs Interesting example of "interactive" applet which is nevertheless can be (and is) NOEXEC is "rm". Yes, "rm -i" is interactive - but it's not that typical @@ -42,8 +44,8 @@ adduser - noexec. leaks adjtimex - NOFORK ar - runner arch - NOFORK -arp - complex, rare -arping - runner +arp - runner, needs ^C: arp -n talks to DNS servers +arping - longterm ash - interactive, longterm awk - noexec. runner base64 - runner @@ -87,7 +89,7 @@ dd - noexec. runner deallocvt - noexec. leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds delgroup - noexec. leaks deluser - noexec. leaks -depmod - complex, rare +depmod - longterm(ish) devmem - runner, complex (access to device memory may hang) df - leaks: nested allocs dhcprelay - daemon @@ -114,19 +116,19 @@ factor - runner (eats stdin if no params) fakeidentd - daemon false - NOFORK fatattr - leaks: open+xioctl, complex -fbset - leaks: open+xfunc, complex, rare +fbset - hardware, leaks: open+xfunc fbsplash - runner, longterm -fdflush - leaks: open+ioctl_or_perror_and_die, needs ^C (floppy may be unresponsive), rare -fdformat - needs ^C (floppy may be unresponsive), longterm, rare +fdflush - hardware, leaks: open+ioctl_or_perror_and_die +fdformat - hardware, needs ^C (floppy may be unresponsive), longterm fdisk - interactive, longterm fgconsole - noexec. leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds fgrep - longterm runner ("CMD | fgrep ..." may run indefinitely, better to exec to conserve memory) find - noexec. runner findfs - suid -flash_eraseall - could be noexec, but I feel flash ops are risky (prone to hw/fw/sw bugs) -flash_lock - could be noexec, but I feel flash ops are risky (prone to hw/fw/sw bugs) -flash_unlock - could be noexec, but I feel flash ops are risky (prone to hw/fw/sw bugs) -flashcp - needs ^C. could be noexec, but I feel flash ops are risky (prone to hw/fw/sw bugs) +flash_eraseall - hardware +flash_lock - hardware +flash_unlock - hardware +flashcp - hardware flock - spawner, changes state (file locks), let's play safe and not be noexec fold - noexec. runner free - nofork candidate(struct globals, needs to close /proc/meminfo fd) @@ -148,18 +150,18 @@ gunzip - runner gzip - runner halt - rare hd - noexec. runner -hdparm - complex, rare +hdparm - hardware head - noexec. runner hexdump - noexec. runner hostid - NOFORK hostname - needs ^C (may talk to DNS servers, which may be down) httpd - daemon hush - interactive, longterm -hwclock - talks to hardware (xioctl(RTC_RD_TIME)) - needs ^C -i2cdetect -i2cdump -i2cget -i2cset +hwclock - hardware (xioctl(RTC_RD_TIME)) +i2cdetect - hardware +i2cdump - hardware +i2cget - hardware +i2cset - hardware id - noexec ifconfig - leaks: xsocket+ioctl_or_perror_and_die ifenslave - leaks: xsocket+bb_perror_msg_and_die @@ -237,7 +239,7 @@ more - interactive, longterm mount - suid mountpoint - noexec. leaks: option -n "print dev name": find_block_device -> readdir+xstrdup mpstat - longterm: "mpstat 1" runs indefinitely -mt - rare +mt - hardware mv - noexec candidate, runner nameif - noexec. openlog(), leaks: config_open2+ioctl_or_perror_and_die nbd-client - noexec @@ -257,8 +259,8 @@ paste - noexec. runner patch - needs ^C pgrep - nofork candidate(xregcomp, procps_scan - are they ok?) pidof - nofork candidate(uses find_pid_by_name, is that ok?) -ping - suid, runner -ping6 - suid, runner +ping - suid, longterm +ping6 - suid, longterm pipe_progress - longterm pivot_root - NOFORK pkill - nofork candidate(xregcomp, procps_scan - are they ok?) @@ -282,7 +284,7 @@ realpath - NOFORK reboot - rare reformime - runner remove-shell - noexec. leaks: open+xfunc -renice - nofork candidate(uses getpwnam, is that ok?) +renice - noexec. nofork candidate(uses getpwnam, is that ok?) reset - noexec. spawner (execs "stty") resize - noexec. changes state (signal handlers) rev - runner @@ -358,21 +360,21 @@ timeout - spawner, longterm, changes state (signals) top - interactive, longterm touch - NOFORK tr - runner -traceroute - suid, runner -traceroute6 - suid, runner +traceroute - suid, longterm +traceroute6 - suid, longterm true - NOFORK truncate - NOFORK tty - NOFORK ttysize - NOFORK tunctl - noexec tune2fs - noexec. leaks: open+xfunc -ubiattach - could be noexec, but I feel flash ops are risky (prone to hw/fw/sw bugs) -ubidetach - could be noexec, but I feel flash ops are risky (prone to hw/fw/sw bugs) -ubimkvol - could be noexec, but I feel flash ops are risky (prone to hw/fw/sw bugs) -ubirename - could be noexec, but I feel flash ops are risky (prone to hw/fw/sw bugs) -ubirmvol - could be noexec, but I feel flash ops are risky (prone to hw/fw/sw bugs) -ubirsvol - could be noexec, but I feel flash ops are risky (prone to hw/fw/sw bugs) -ubiupdatevol - could be noexec, but I feel flash ops are risky (prone to hw/fw/sw bugs) +ubiattach - hardware +ubidetach - hardware +ubimkvol - hardware +ubirename - hardware +ubirmvol - hardware +ubirsvol - hardware +ubiupdatevol - hardware udhcpc - daemon udhcpd - daemon udpsvd - daemon @@ -388,8 +390,8 @@ unlzma - runner unlzop - runner unxz - runner unzip - runner -uptime - nofork candidate(is getutxent ok?) -users - nofork candidate(is getutxent ok?) +uptime - noexec. nofork candidate(is getutxent ok?) +users - noexec. nofork candidate(is getutxent ok?) usleep - NOFORK uudecode - runner uuencode - runner @@ -397,14 +399,14 @@ vconfig - leaks: xsocket+ioctl_or_perror_and_die vi - interactive, longterm vlock - suid volname - runner -w - nofork candidate(is getutxent ok?) +w - noexec. nofork candidate(is getutxent ok?) wall - suid watch - longterm watchdog - daemon wc - runner wget - longterm which - NOFORK -who - nofork candidate(is getutxent ok?) +who - noexec. nofork candidate(is getutxent ok?) whoami - NOFORK whois - needs ^C xargs - noexec. spawner diff --git a/coreutils/who.c b/coreutils/who.c index 91f99138c..6be3d692e 100644 --- a/coreutils/who.c +++ b/coreutils/who.c @@ -38,10 +38,10 @@ //config: help //config: Print users currently logged on. -// APPLET_ODDNAME:name main location suid_type help -//applet:IF_USERS(APPLET_ODDNAME(users, who, BB_DIR_USR_BIN, BB_SUID_DROP, users)) -//applet:IF_W( APPLET_ODDNAME(w, who, BB_DIR_USR_BIN, BB_SUID_DROP, w)) -//applet:IF_WHO( APPLET( who, BB_DIR_USR_BIN, BB_SUID_DROP)) +// APPLET_NOEXEC:name main location suid_type help +//applet:IF_USERS(APPLET_NOEXEC(users, who, BB_DIR_USR_BIN, BB_SUID_DROP, users)) +//applet:IF_W( APPLET_NOEXEC(w, who, BB_DIR_USR_BIN, BB_SUID_DROP, w)) +//applet:IF_WHO( APPLET_NOEXEC(who, who, BB_DIR_USR_BIN, BB_SUID_DROP, who)) //kbuild:lib-$(CONFIG_USERS) += who.o //kbuild:lib-$(CONFIG_W) += who.o diff --git a/miscutils/i2c_tools.c b/miscutils/i2c_tools.c index ca2580e92..8d04d2259 100644 --- a/miscutils/i2c_tools.c +++ b/miscutils/i2c_tools.c @@ -42,6 +42,7 @@ //applet:IF_I2CSET(APPLET(i2cset, BB_DIR_USR_SBIN, BB_SUID_DROP)) //applet:IF_I2CDUMP(APPLET(i2cdump, BB_DIR_USR_SBIN, BB_SUID_DROP)) //applet:IF_I2CDETECT(APPLET(i2cdetect, BB_DIR_USR_SBIN, BB_SUID_DROP)) +/* not NOEXEC: if hw operation stalls, use less memory in "hung" process */ //kbuild:lib-$(CONFIG_I2CGET) += i2c_tools.o //kbuild:lib-$(CONFIG_I2CSET) += i2c_tools.o diff --git a/procps/uptime.c b/procps/uptime.c index 24b2b39df..b0ee8391b 100644 --- a/procps/uptime.c +++ b/procps/uptime.c @@ -27,7 +27,7 @@ //config: help //config: Display the number of users currently logged on. -//applet:IF_UPTIME(APPLET(uptime, BB_DIR_USR_BIN, BB_SUID_DROP)) +//applet:IF_UPTIME(APPLET_NOEXEC(uptime, uptime, BB_DIR_USR_BIN, BB_SUID_DROP, uptime)) //kbuild:lib-$(CONFIG_UPTIME) += uptime.o diff --git a/util-linux/renice.c b/util-linux/renice.c index 23cbca88d..70c494b3d 100644 --- a/util-linux/renice.c +++ b/util-linux/renice.c @@ -25,7 +25,7 @@ //config: Renice alters the scheduling priority of one or more running //config: processes. -//applet:IF_RENICE(APPLET(renice, BB_DIR_USR_BIN, BB_SUID_DROP)) +//applet:IF_RENICE(APPLET_NOEXEC(renice, renice, BB_DIR_USR_BIN, BB_SUID_DROP, renice)) //kbuild:lib-$(CONFIG_RENICE) += renice.o |