[PATCH 1/1] buildsys: Add helper to list suid applets

Bernhard Reutner-Fischer rep.dot.nop at gmail.com
Tue Jul 9 08:58:54 UTC 2013


Add a helper script that lists all applets that
- do or may require SUID provileges (busybox.cfg.suid)
- do not require SUID provileges (busybox.cfg.nosuid)

Some setups prefer to build two busybox binaries, one that is suid which
contains all applets that do or may require suid privileges, and a
second one for all the rest (which drops suid). To ease splitting these
two binaries, generate two lists of CONFIG_ items for each of the two
binaries.

Signed-off-by: Bernhard Reutner-Fischer <rep.dot.nop at gmail.com>
---
 Makefile.custom            |    7 +++++-
 applets/busybox.mksuid     |   54 ++++++++++++++++++++++++++++++++++++++++++++
 include/applets.src.h      |    9 +++++++-
 scripts/kconfig/confdata.c |   24 ++++++++++++++++----
 4 files changed, 88 insertions(+), 6 deletions(-)
 create mode 100755 applets/busybox.mksuid

diff --git a/Makefile.custom b/Makefile.custom
index 6da79e6..3561e57 100644
--- a/Makefile.custom
+++ b/Makefile.custom
@@ -3,7 +3,12 @@
 # ==========================================================================
 
 busybox.links: $(srctree)/applets/busybox.mkll $(objtree)/include/autoconf.h include/applets.h
-	$(Q)-$(SHELL) $^ >$@
+	$(Q)-$(SHELL) $^ > $@
+
+busybox.cfg.suid: $(srctree)/applets/busybox.mksuid $(objtree)/include/autoconf.h include/applets.h
+	$(Q)-SUID="yes" $(SHELL) $^ > $@
+busybox.cfg.nosuid: $(srctree)/applets/busybox.mksuid $(objtree)/include/autoconf.h include/applets.h
+	$(Q)-SUID="DROP" $(SHELL) $^ > $@
 
 .PHONY: install
 ifeq ($(CONFIG_INSTALL_APPLET_SYMLINKS),y)
diff --git a/applets/busybox.mksuid b/applets/busybox.mksuid
new file mode 100755
index 0000000..6492c07
--- /dev/null
+++ b/applets/busybox.mksuid
@@ -0,0 +1,54 @@
+#!/bin/sh
+# Make list of configuration variables regarding suid handling
+
+# input $1: full path to autoconf.h
+# input $2: full path to applets.h
+# input $3: full path to .config
+# output (stdout): list of CONFIG_ that do or may require suid
+
+# If the environment variable SUID is not set or set to DROP,
+# lists all config options that do not require suid permissions.
+# Otherwise, lists all config options for applets that DO or MAY require
+# suid permissions.
+
+# Maintainer: Bernhard Reutner-Fischer
+
+export LC_ALL=POSIX
+export LC_CTYPE=POSIX
+
+CONFIG_H=${1:-include/autoconf.h}
+APPLETS_H=${2:-include/applets.h}
+DOT_CONFIG=${3:-.config}
+
+case ${SUID:-DROP} in
+[dD][rR][oO][pP]) USE="DROP" ;;
+*) USE="suid" ;;
+esac
+
+$HOSTCC -E -DMAKE_SUID -include $CONFIG_H $APPLETS_H |
+  awk -v USE=${USE} '
+    /^SUID[ \t]/{
+      if (USE == "DROP") {
+        if ($2 != "BB_SUID_DROP") next
+      } else {
+        if ($2 == "BB_SUID_DROP") next
+      }
+      cfg = $NF
+      gsub("\"", "", cfg)
+      cfg = substr(cfg, 8)
+      s[i++] = "CONFIG_" cfg
+      s[i++] = "CONFIG_FEATURE_" cfg "_.*"
+    }
+    END{
+      while (getline < ARGV[2]) {
+        for (j in s) {
+          if ($0 ~ "^" s[j] "=y$") {
+            sub(/=.*/, "")
+            print
+            if (s[j] !~ /\*$/) delete s[j] # can drop this applet now
+          }
+        }
+      }
+    }
+' - $DOT_CONFIG
+
diff --git a/include/applets.src.h b/include/applets.src.h
index 00172b1..aa319bb 100644
--- a/include/applets.src.h
+++ b/include/applets.src.h
@@ -52,6 +52,12 @@ s     - suid type:
 # define APPLET_NOEXEC(name,main,l,s,name2)  LINK l name
 # define APPLET_NOFORK(name,main,l,s,name2)  LINK l name
 
+#elif defined(MAKE_SUID)
+# define APPLET(name,l,s)                    SUID s l name
+# define APPLET_ODDNAME(name,main,l,s,name2) SUID s l name
+# define APPLET_NOEXEC(name,main,l,s,name2)  SUID s l name
+# define APPLET_NOFORK(name,main,l,s,name2)  SUID s l name
+
 #else
   static struct bb_applet applets[] = { /*    name, main, location, need_suid */
 # define APPLET(name,l,s)                    { #name, #name, l, s },
@@ -415,7 +421,8 @@ IF_YES(APPLET_NOFORK(yes, yes, BB_DIR_USR_BIN, BB_SUID_DROP, yes))
 IF_GUNZIP(APPLET_ODDNAME(zcat, gunzip, BB_DIR_BIN, BB_SUID_DROP, zcat))
 IF_ZCIP(APPLET(zcip, BB_DIR_SBIN, BB_SUID_DROP))
 
-#if !defined(PROTOTYPES) && !defined(NAME_MAIN_CNAME) && !defined(MAKE_USAGE)
+#if !defined(PROTOTYPES) && !defined(NAME_MAIN_CNAME) && !defined(MAKE_USAGE) \
+	&& !defined(MAKE_LINKS) && !defined(MAKE_SUID)
 };
 #endif
 
diff --git a/scripts/kconfig/confdata.c b/scripts/kconfig/confdata.c
index bd2d70e..303df0b 100644
--- a/scripts/kconfig/confdata.c
+++ b/scripts/kconfig/confdata.c
@@ -474,7 +474,11 @@ int conf_write(const char *name)
 						fprintf(out_h, "#define CONFIG_%s 1\n", sym->name);
 						/* bbox */
 						fprintf(out_h, "#define ENABLE_%s 1\n", sym->name);
-						fprintf(out_h, "#define IF_%s(...) __VA_ARGS__\n", sym->name);
+						fprintf(out_h, "#ifdef MAKE_SUID\n");
+						fprintf(out_h, "# define IF_%s(...) __VA_ARGS__ \"CONFIG_%s\"\n", sym->name, sym->name);
+						fprintf(out_h, "#else\n");
+						fprintf(out_h, "# define IF_%s(...) __VA_ARGS__\n", sym->name);
+						fprintf(out_h, "#endif\n");
 						fprintf(out_h, "#define IF_NOT_%s(...)\n", sym->name);
 					}
 					break;
@@ -506,7 +510,11 @@ int conf_write(const char *name)
 					fputs("\"\n", out_h);
 					/* bbox */
 					fprintf(out_h, "#define ENABLE_%s 1\n", sym->name);
-					fprintf(out_h, "#define IF_%s(...) __VA_ARGS__\n", sym->name);
+					fprintf(out_h, "#ifdef MAKE_SUID\n");
+					fprintf(out_h, "# define IF_%s(...) __VA_ARGS__ \"CONFIG_%s\"\n", sym->name, sym->name);
+					fprintf(out_h, "#else\n");
+					fprintf(out_h, "# define IF_%s(...) __VA_ARGS__\n", sym->name);
+					fprintf(out_h, "#endif\n");
 					fprintf(out_h, "#define IF_NOT_%s(...)\n", sym->name);
 				}
 				break;
@@ -518,7 +526,11 @@ int conf_write(const char *name)
 						fprintf(out_h, "#define CONFIG_%s 0x%s\n", sym->name, str);
 						/* bbox */
 						fprintf(out_h, "#define ENABLE_%s 1\n", sym->name);
-						fprintf(out_h, "#define IF_%s(...) __VA_ARGS__\n", sym->name);
+						fprintf(out_h, "#ifdef MAKE_SUID\n");
+						fprintf(out_h, "# define IF_%s(...) __VA_ARGS__ \"CONFIG_%s\"\n", sym->name, sym->name);
+						fprintf(out_h, "#else\n");
+						fprintf(out_h, "# define IF_%s(...) __VA_ARGS__\n", sym->name);
+						fprintf(out_h, "#endif\n");
 						fprintf(out_h, "#define IF_NOT_%s(...)\n", sym->name);
 					}
 					break;
@@ -532,7 +544,11 @@ int conf_write(const char *name)
 					fprintf(out_h, "#define CONFIG_%s %s\n", sym->name, str);
 					/* bbox */
 					fprintf(out_h, "#define ENABLE_%s 1\n", sym->name);
-					fprintf(out_h, "#define IF_%s(...) __VA_ARGS__\n", sym->name);
+					fprintf(out_h, "#ifdef MAKE_SUID\n");
+					fprintf(out_h, "# define IF_%s(...) __VA_ARGS__ \"CONFIG_%s\"\n", sym->name, sym->name);
+					fprintf(out_h, "#else\n");
+					fprintf(out_h, "# define IF_%s(...) __VA_ARGS__\n", sym->name);
+					fprintf(out_h, "#endif\n");
 					fprintf(out_h, "#define IF_NOT_%s(...)\n", sym->name);
 				}
 				break;
-- 
1.7.10.4



More information about the busybox mailing list