aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDenys Vlasenko <vda.linux@googlemail.com>2017-08-07 16:47:34 +0200
committerDenys Vlasenko <vda.linux@googlemail.com>2017-08-07 16:47:34 +0200
commit1a1203ff8909efc003bb6bf679a6afd6628dc179 (patch)
tree543504b74dd44b83536ff3b2da079586c6401a2e
parent798b94518e61ced3f7be7766727705df4859878c (diff)
downloadbusybox-1a1203ff8909efc003bb6bf679a6afd6628dc179.tar.gz
users,w,who,uptime,renice: make NOEXEC
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
-rw-r--r--NOFORK_NOEXEC.lst72
-rw-r--r--coreutils/who.c8
-rw-r--r--miscutils/i2c_tools.c1
-rw-r--r--procps/uptime.c2
-rw-r--r--util-linux/renice.c2
5 files changed, 44 insertions, 41 deletions
diff --git a/NOFORK_NOEXEC.lst b/NOFORK_NOEXEC.lst
index 981a10192..70f38d867 100644
--- a/NOFORK_NOEXEC.lst
+++ b/NOFORK_NOEXEC.lst
@@ -4,9 +4,9 @@ Why can't be NOFORK:
interactive: may wait for user input, ^C has to work
spawner: "tool PROG ARGS" which changes program state and execs - must fork
changes state: e.g. environment, signal handlers
-alloc+xfunc: xmalloc, then xfunc - leaks memory if xfunc dies
-open+xfunc: opens fd, then calls xfunc - fd is leaked if xfunc dies
leaks: does not free allocated memory or opened fds
+ alloc+xfunc: xmalloc, then xfunc - leaks memory if xfunc dies
+ open+xfunc: opens fd, then calls xfunc - fd is leaked if xfunc dies
runner: sometimes may run for long(ish) time, and/or works with network:
^C has to work (cat BIGFILE, chmod -R, ftpget, nc)
@@ -25,6 +25,8 @@ longterm: often runs for a long time (many seconds), execing makes
complex: no immediately obvious reason why NOFORK wouldn't work,
but does some non-obvoius operations (example: fuser, lsof, losetup);
detailed audit often turns out that it's a leaker
+hardware: performs unusual hardware ops which may take long,
+ or even hang due to hardware or firmware bugs
Interesting example of "interactive" applet which is nevertheless can be
(and is) NOEXEC is "rm". Yes, "rm -i" is interactive - but it's not that typical
@@ -42,8 +44,8 @@ adduser - noexec. leaks
adjtimex - NOFORK
ar - runner
arch - NOFORK
-arp - complex, rare
-arping - runner
+arp - runner, needs ^C: arp -n talks to DNS servers
+arping - longterm
ash - interactive, longterm
awk - noexec. runner
base64 - runner
@@ -87,7 +89,7 @@ dd - noexec. runner
deallocvt - noexec. leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds
delgroup - noexec. leaks
deluser - noexec. leaks
-depmod - complex, rare
+depmod - longterm(ish)
devmem - runner, complex (access to device memory may hang)
df - leaks: nested allocs
dhcprelay - daemon
@@ -114,19 +116,19 @@ factor - runner (eats stdin if no params)
fakeidentd - daemon
false - NOFORK
fatattr - leaks: open+xioctl, complex
-fbset - leaks: open+xfunc, complex, rare
+fbset - hardware, leaks: open+xfunc
fbsplash - runner, longterm
-fdflush - leaks: open+ioctl_or_perror_and_die, needs ^C (floppy may be unresponsive), rare
-fdformat - needs ^C (floppy may be unresponsive), longterm, rare
+fdflush - hardware, leaks: open+ioctl_or_perror_and_die
+fdformat - hardware, needs ^C (floppy may be unresponsive), longterm
fdisk - interactive, longterm
fgconsole - noexec. leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds
fgrep - longterm runner ("CMD | fgrep ..." may run indefinitely, better to exec to conserve memory)
find - noexec. runner
findfs - suid
-flash_eraseall - could be noexec, but I feel flash ops are risky (prone to hw/fw/sw bugs)
-flash_lock - could be noexec, but I feel flash ops are risky (prone to hw/fw/sw bugs)
-flash_unlock - could be noexec, but I feel flash ops are risky (prone to hw/fw/sw bugs)
-flashcp - needs ^C. could be noexec, but I feel flash ops are risky (prone to hw/fw/sw bugs)
+flash_eraseall - hardware
+flash_lock - hardware
+flash_unlock - hardware
+flashcp - hardware
flock - spawner, changes state (file locks), let's play safe and not be noexec
fold - noexec. runner
free - nofork candidate(struct globals, needs to close /proc/meminfo fd)
@@ -148,18 +150,18 @@ gunzip - runner
gzip - runner
halt - rare
hd - noexec. runner
-hdparm - complex, rare
+hdparm - hardware
head - noexec. runner
hexdump - noexec. runner
hostid - NOFORK
hostname - needs ^C (may talk to DNS servers, which may be down)
httpd - daemon
hush - interactive, longterm
-hwclock - talks to hardware (xioctl(RTC_RD_TIME)) - needs ^C
-i2cdetect
-i2cdump
-i2cget
-i2cset
+hwclock - hardware (xioctl(RTC_RD_TIME))
+i2cdetect - hardware
+i2cdump - hardware
+i2cget - hardware
+i2cset - hardware
id - noexec
ifconfig - leaks: xsocket+ioctl_or_perror_and_die
ifenslave - leaks: xsocket+bb_perror_msg_and_die
@@ -237,7 +239,7 @@ more - interactive, longterm
mount - suid
mountpoint - noexec. leaks: option -n "print dev name": find_block_device -> readdir+xstrdup
mpstat - longterm: "mpstat 1" runs indefinitely
-mt - rare
+mt - hardware
mv - noexec candidate, runner
nameif - noexec. openlog(), leaks: config_open2+ioctl_or_perror_and_die
nbd-client - noexec
@@ -257,8 +259,8 @@ paste - noexec. runner
patch - needs ^C
pgrep - nofork candidate(xregcomp, procps_scan - are they ok?)
pidof - nofork candidate(uses find_pid_by_name, is that ok?)
-ping - suid, runner
-ping6 - suid, runner
+ping - suid, longterm
+ping6 - suid, longterm
pipe_progress - longterm
pivot_root - NOFORK
pkill - nofork candidate(xregcomp, procps_scan - are they ok?)
@@ -282,7 +284,7 @@ realpath - NOFORK
reboot - rare
reformime - runner
remove-shell - noexec. leaks: open+xfunc
-renice - nofork candidate(uses getpwnam, is that ok?)
+renice - noexec. nofork candidate(uses getpwnam, is that ok?)
reset - noexec. spawner (execs "stty")
resize - noexec. changes state (signal handlers)
rev - runner
@@ -358,21 +360,21 @@ timeout - spawner, longterm, changes state (signals)
top - interactive, longterm
touch - NOFORK
tr - runner
-traceroute - suid, runner
-traceroute6 - suid, runner
+traceroute - suid, longterm
+traceroute6 - suid, longterm
true - NOFORK
truncate - NOFORK
tty - NOFORK
ttysize - NOFORK
tunctl - noexec
tune2fs - noexec. leaks: open+xfunc
-ubiattach - could be noexec, but I feel flash ops are risky (prone to hw/fw/sw bugs)
-ubidetach - could be noexec, but I feel flash ops are risky (prone to hw/fw/sw bugs)
-ubimkvol - could be noexec, but I feel flash ops are risky (prone to hw/fw/sw bugs)
-ubirename - could be noexec, but I feel flash ops are risky (prone to hw/fw/sw bugs)
-ubirmvol - could be noexec, but I feel flash ops are risky (prone to hw/fw/sw bugs)
-ubirsvol - could be noexec, but I feel flash ops are risky (prone to hw/fw/sw bugs)
-ubiupdatevol - could be noexec, but I feel flash ops are risky (prone to hw/fw/sw bugs)
+ubiattach - hardware
+ubidetach - hardware
+ubimkvol - hardware
+ubirename - hardware
+ubirmvol - hardware
+ubirsvol - hardware
+ubiupdatevol - hardware
udhcpc - daemon
udhcpd - daemon
udpsvd - daemon
@@ -388,8 +390,8 @@ unlzma - runner
unlzop - runner
unxz - runner
unzip - runner
-uptime - nofork candidate(is getutxent ok?)
-users - nofork candidate(is getutxent ok?)
+uptime - noexec. nofork candidate(is getutxent ok?)
+users - noexec. nofork candidate(is getutxent ok?)
usleep - NOFORK
uudecode - runner
uuencode - runner
@@ -397,14 +399,14 @@ vconfig - leaks: xsocket+ioctl_or_perror_and_die
vi - interactive, longterm
vlock - suid
volname - runner
-w - nofork candidate(is getutxent ok?)
+w - noexec. nofork candidate(is getutxent ok?)
wall - suid
watch - longterm
watchdog - daemon
wc - runner
wget - longterm
which - NOFORK
-who - nofork candidate(is getutxent ok?)
+who - noexec. nofork candidate(is getutxent ok?)
whoami - NOFORK
whois - needs ^C
xargs - noexec. spawner
diff --git a/coreutils/who.c b/coreutils/who.c
index 91f99138c..6be3d692e 100644
--- a/coreutils/who.c
+++ b/coreutils/who.c
@@ -38,10 +38,10 @@
//config: help
//config: Print users currently logged on.
-// APPLET_ODDNAME:name main location suid_type help
-//applet:IF_USERS(APPLET_ODDNAME(users, who, BB_DIR_USR_BIN, BB_SUID_DROP, users))
-//applet:IF_W( APPLET_ODDNAME(w, who, BB_DIR_USR_BIN, BB_SUID_DROP, w))
-//applet:IF_WHO( APPLET( who, BB_DIR_USR_BIN, BB_SUID_DROP))
+// APPLET_NOEXEC:name main location suid_type help
+//applet:IF_USERS(APPLET_NOEXEC(users, who, BB_DIR_USR_BIN, BB_SUID_DROP, users))
+//applet:IF_W( APPLET_NOEXEC(w, who, BB_DIR_USR_BIN, BB_SUID_DROP, w))
+//applet:IF_WHO( APPLET_NOEXEC(who, who, BB_DIR_USR_BIN, BB_SUID_DROP, who))
//kbuild:lib-$(CONFIG_USERS) += who.o
//kbuild:lib-$(CONFIG_W) += who.o
diff --git a/miscutils/i2c_tools.c b/miscutils/i2c_tools.c
index ca2580e92..8d04d2259 100644
--- a/miscutils/i2c_tools.c
+++ b/miscutils/i2c_tools.c
@@ -42,6 +42,7 @@
//applet:IF_I2CSET(APPLET(i2cset, BB_DIR_USR_SBIN, BB_SUID_DROP))
//applet:IF_I2CDUMP(APPLET(i2cdump, BB_DIR_USR_SBIN, BB_SUID_DROP))
//applet:IF_I2CDETECT(APPLET(i2cdetect, BB_DIR_USR_SBIN, BB_SUID_DROP))
+/* not NOEXEC: if hw operation stalls, use less memory in "hung" process */
//kbuild:lib-$(CONFIG_I2CGET) += i2c_tools.o
//kbuild:lib-$(CONFIG_I2CSET) += i2c_tools.o
diff --git a/procps/uptime.c b/procps/uptime.c
index 24b2b39df..b0ee8391b 100644
--- a/procps/uptime.c
+++ b/procps/uptime.c
@@ -27,7 +27,7 @@
//config: help
//config: Display the number of users currently logged on.
-//applet:IF_UPTIME(APPLET(uptime, BB_DIR_USR_BIN, BB_SUID_DROP))
+//applet:IF_UPTIME(APPLET_NOEXEC(uptime, uptime, BB_DIR_USR_BIN, BB_SUID_DROP, uptime))
//kbuild:lib-$(CONFIG_UPTIME) += uptime.o
diff --git a/util-linux/renice.c b/util-linux/renice.c
index 23cbca88d..70c494b3d 100644
--- a/util-linux/renice.c
+++ b/util-linux/renice.c
@@ -25,7 +25,7 @@
//config: Renice alters the scheduling priority of one or more running
//config: processes.
-//applet:IF_RENICE(APPLET(renice, BB_DIR_USR_BIN, BB_SUID_DROP))
+//applet:IF_RENICE(APPLET_NOEXEC(renice, renice, BB_DIR_USR_BIN, BB_SUID_DROP, renice))
//kbuild:lib-$(CONFIG_RENICE) += renice.o