[git commit] nameif: make it NOEXEC

Denys Vlasenko vda.linux at googlemail.com
Sun Aug 6 12:15:24 UTC 2017


commit: https://git.busybox.net/busybox/commit/?id=a759b22c29fed7d6c77efe0c3e27772371d0889b
branch: https://git.busybox.net/busybox/commit/?id=refs/heads/master

Signed-off-by: Denys Vlasenko <vda.linux at googlemail.com>
---
 NOFORK_NOEXEC.lst   | 4 ++--
 networking/nameif.c | 2 +-
 procps/mpstat.c     | 1 +
 3 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/NOFORK_NOEXEC.lst b/NOFORK_NOEXEC.lst
index 45b178c..9b33afc 100644
--- a/NOFORK_NOEXEC.lst
+++ b/NOFORK_NOEXEC.lst
@@ -237,10 +237,10 @@ modprobe - noexec
 more - interactive, longterm
 mount - suid
 mountpoint - noexec. leaks: option -n "print dev name": find_block_device -> readdir+xstrdup
-mpstat - noexec candidate (it's a measuring tool, putting less load by itself is good), complex
+mpstat - longterm: "mpstat 1" runs indefinitely
 mt - rare
 mv - noexec candidate, runner
-nameif - leaks: config_open2+ioctl_or_perror_and_die
+nameif - noexec. openlog(), leaks: config_open2+ioctl_or_perror_and_die
 nbd-client
 nc - runner
 netstat - runner with -c
diff --git a/networking/nameif.c b/networking/nameif.c
index 31ee98a..1f26954 100644
--- a/networking/nameif.c
+++ b/networking/nameif.c
@@ -40,7 +40,7 @@
 //config:		new_interface_name  mac=00:80:C8:38:91:B5
 //config:		new_interface_name  00:80:C8:38:91:B5
 
-//applet:IF_NAMEIF(APPLET(nameif, BB_DIR_SBIN, BB_SUID_DROP))
+//applet:IF_NAMEIF(APPLET_NOEXEC(nameif, nameif, BB_DIR_SBIN, BB_SUID_DROP, nameif))
 
 //kbuild:lib-$(CONFIG_NAMEIF) += nameif.o
 
diff --git a/procps/mpstat.c b/procps/mpstat.c
index 1eabd8e..acaff4d 100644
--- a/procps/mpstat.c
+++ b/procps/mpstat.c
@@ -8,6 +8,7 @@
  */
 
 //applet:IF_MPSTAT(APPLET(mpstat, BB_DIR_BIN, BB_SUID_DROP))
+/* shouldn't be noexec: "mpstat INTERVAL" runs indefinitely */
 
 //kbuild:lib-$(CONFIG_MPSTAT) += mpstat.o
 


More information about the busybox-cvs mailing list