From a759b22c29fed7d6c77efe0c3e27772371d0889b Mon Sep 17 00:00:00 2001 From: Denys Vlasenko Date: Sun, 6 Aug 2017 14:15:24 +0200 Subject: nameif: make it NOEXEC Signed-off-by: Denys Vlasenko --- NOFORK_NOEXEC.lst | 4 ++-- networking/nameif.c | 2 +- procps/mpstat.c | 1 + 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/NOFORK_NOEXEC.lst b/NOFORK_NOEXEC.lst index 45b178ca8..9b33afc32 100644 --- a/NOFORK_NOEXEC.lst +++ b/NOFORK_NOEXEC.lst @@ -237,10 +237,10 @@ modprobe - noexec more - interactive, longterm mount - suid mountpoint - noexec. leaks: option -n "print dev name": find_block_device -> readdir+xstrdup -mpstat - noexec candidate (it's a measuring tool, putting less load by itself is good), complex +mpstat - longterm: "mpstat 1" runs indefinitely mt - rare mv - noexec candidate, runner -nameif - leaks: config_open2+ioctl_or_perror_and_die +nameif - noexec. openlog(), leaks: config_open2+ioctl_or_perror_and_die nbd-client nc - runner netstat - runner with -c diff --git a/networking/nameif.c b/networking/nameif.c index 31ee98a39..1f2695495 100644 --- a/networking/nameif.c +++ b/networking/nameif.c @@ -40,7 +40,7 @@ //config: new_interface_name mac=00:80:C8:38:91:B5 //config: new_interface_name 00:80:C8:38:91:B5 -//applet:IF_NAMEIF(APPLET(nameif, BB_DIR_SBIN, BB_SUID_DROP)) +//applet:IF_NAMEIF(APPLET_NOEXEC(nameif, nameif, BB_DIR_SBIN, BB_SUID_DROP, nameif)) //kbuild:lib-$(CONFIG_NAMEIF) += nameif.o diff --git a/procps/mpstat.c b/procps/mpstat.c index 1eabd8e38..acaff4dc0 100644 --- a/procps/mpstat.c +++ b/procps/mpstat.c @@ -8,6 +8,7 @@ */ //applet:IF_MPSTAT(APPLET(mpstat, BB_DIR_BIN, BB_SUID_DROP)) +/* shouldn't be noexec: "mpstat INTERVAL" runs indefinitely */ //kbuild:lib-$(CONFIG_MPSTAT) += mpstat.o -- cgit v1.2.3