[git commit] make 17 state-changing execing applets (ex: "nice PROG ARGS") noexec

Denys Vlasenko vda.linux at googlemail.com
Fri Aug 4 17:55:01 UTC 2017


commit: https://git.busybox.net/busybox/commit/?id=5c527dc57e74c1b60c910dc1a3f3ec9683fca43d
branch: https://git.busybox.net/busybox/commit/?id=refs/heads/master

The applets with "<applet> [opts] PROG ARGS" API very quickly exec
another program, noexec is okay for them:

 chpst/envdir/envuidgid/softlimit/setuidgid
 chroot
 chrt
 ionice
 nice
 nohup
 setarch/linux32/linux64
 taskset
 cttyhack

"reset" and "sulogin" applets don't have this form, but also exec
another program at once, thus made noexec too.

Signed-off-by: Denys Vlasenko <vda.linux at googlemail.com>
---
 NOFORK_NOEXEC.lst     | 46 +++++++++++++++++++++++-----------------------
 console-tools/reset.c |  2 +-
 coreutils/chroot.c    |  3 ++-
 coreutils/nice.c      |  2 +-
 coreutils/nohup.c     |  2 +-
 loginutils/sulogin.c  |  4 ++--
 runit/chpst.c         | 12 ++++++------
 shell/cttyhack.c      |  2 +-
 util-linux/chrt.c     |  2 +-
 util-linux/ionice.c   |  2 +-
 util-linux/setarch.c  |  8 ++++----
 util-linux/taskset.c  |  2 +-
 12 files changed, 44 insertions(+), 43 deletions(-)

diff --git a/NOFORK_NOEXEC.lst b/NOFORK_NOEXEC.lst
index ccd8f0c..5ec9ae3 100644
--- a/NOFORK_NOEXEC.lst
+++ b/NOFORK_NOEXEC.lst
@@ -20,7 +20,7 @@ suid: runs under different uid - must fork+exec
 Why shouldn't be NOFORK/NOEXEC:
 rare: not started often enough to bother optimizing (example: poweroff)
 daemon: runs indefinitely; these are also always fit "rare" category
-longterm: often runs for a long time (many seconds), execing would make
+longterm: often runs for a long time (many seconds), execing makes
 	memory footprint smaller
 complex: no immediately obvious reason why NOFORK wouldn't work,
 	but does some non-obvoius operations (example: fuser, lsof, losetup);
@@ -66,9 +66,9 @@ chgrp - noexec. runner
 chmod - noexec. runner
 chown - noexec. runner
 chpasswd - runner (list of "user:password"s from stdin)
-chpst - noexec candidate, spawner
-chroot - noexec candidate, spawner
-chrt - noexec candidate, spawner
+chpst - noexec. spawner
+chroot - noexec. spawner
+chrt - noexec. spawner
 chvt - leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds. Also, "rare" category. noexec candidate.
 cksum - noexec. runner
 clear - NOFORK
@@ -80,7 +80,7 @@ cpio - runner
 crond - daemon
 crontab 0 leaks: open+xasprintf
 cryptpw - changes state: with --password-fd=N, moves N to stdin. Also, "rare" category. noexec candidate.
-cttyhack - noexec candidate, spawner
+cttyhack - noexec. spawner
 cut - noexec. runner
 date - noexec. nofork candidate(needs to stop messing up env, free xasprintf result, not use xfuncs after xasprintf)
 dc - runner (eats stdin if no params)
@@ -107,8 +107,8 @@ ed - interactive, longterm
 egrep - longterm runner ("CMD | egrep ..."  may run indefinitely, better to exec to conserve memory)
 eject - leaks: open+ioctl_or_perror_and_die, changes state (moves fds)
 env - noexec. spawner, changes state (env)
-envdir - noexec candidate, spawner
-envuidgid - noexec candidate, spawner
+envdir - noexec. spawner
+envuidgid - noexec. spawner
 expand - runner
 expr - leaks: nested allocs
 factor - runner (eats stdin if no params)
@@ -128,7 +128,7 @@ flash_eraseall
 flash_lock
 flash_unlock
 flashcp
-flock - spawner, changes state (file locks)
+flock - spawner, changes state (file locks), let's play safe and not be noexec
 fold - noexec. runner
 free - nofork candidate(struct globals, needs to close /proc/meminfo fd)
 freeramdisk - leaks: open+ioctl_or_perror_and_die
@@ -170,7 +170,7 @@ init - daemon
 inotifyd - daemon
 insmod - noexec
 install - runner
-ionice - spawner
+ionice - noexec. spawner
 iostat - runner
 ip - noexec candidate
 ipaddr - noexec candidate
@@ -190,8 +190,8 @@ klogd - daemon
 last - runner (I've got 1300 lines of output when tried it)
 less - interactive, longterm
 link - NOFORK
-linux32 - spawner
-linux64 - spawner
+linux32 - noexec. spawner
+linux64 - noexec. spawner
 linuxrc - daemon
 ln - noexec
 loadfont - leaks: config_open+bb_error_msg_and_die("map format")
@@ -247,11 +247,11 @@ netstat - runner with -c
 nice - noexec candidate, spawner
 nl - runner
 nmeter - longterm
-nohup - noexec candidate (maybe free concat_path_file result?), spawner
+nohup - noexec. spawner
 nproc - NOFORK
 ntpd - daemon
 od - runner
-openvt - spawner
+openvt - longterm: spawns a child and waits for it
 partprobe - noexec candidate (simple), leaks: open+ioctl_or_perror_and_die(BLKRRPART)
 passwd - suid
 paste - noexec. runner
@@ -304,15 +304,15 @@ scriptreplay
 sed - runner
 sendmail - runner
 seq - noexec. runner
-setarch - spawner
+setarch - noexec. spawner
 setconsole
 setfont
 setkeycodes
 setlogcons
-setpriv - spawner
+setpriv - spawner, changes state, let's play safe and not be noexec
 setserial
-setsid - spawner
-setuidgid
+setsid - spawner, uses fork_or_rexec() [not audted to work in noexec], let's play safe and not be noexec
+setuidgid - noexec. spawner
 sha1sum - noexec. runner
 sha256sum - noexec. runner
 sha3sum - noexec. runner
@@ -323,7 +323,7 @@ shuf - noexec. runner
 slattach
 sleep - runner, longterm
 smemcap - runner
-softlimit - noexec candidate, spawner
+softlimit - noexec. spawner
 sort - noexec. runner
 split - runner
 ssl_client - longterm
@@ -332,21 +332,21 @@ stat - nofork candidate(needs fewer allocs)
 strings - runner
 stty - noexec/nofork candidate. has no allocs or opens except xmove_fd(xopen("-F DEVICE"),STDIN). tcsetattr(STDIN) is not a problem: it would work the same across processes sharing this fd
 su - suid, spawner
-sulogin - spawner
+sulogin - noexec. spawner
 sum - runner
 sv - noexec candidate, needs ^C (uses usleep(420000))
 svc - noexec candidate, needs ^C (uses usleep(420000))
 svlogd - daemon
 swapoff - rare
 swapon - rare
-switch_root - spawner, rare, changes state
+switch_root - spawner, rare, changes state (oh yes), execing may be important to free binary's inode
 sync - NOFORK
 sysctl - noexec candidate, leaks: xstrdup+xmalloc_read
 syslogd - daemon
 tac - noexec. runner
 tail - runner
 tar - runner
-taskset - spawner
+taskset - noexec. spawner
 tcpsvd - daemon
 tee - runner
 telnet - interactive, longterm
@@ -354,8 +354,8 @@ telnetd - daemon
 test - NOFORK
 tftp - runner
 tftpd - daemon
-time - spawner, changes state (signals)
-timeout - spawner, changes state (signals)
+time - spawner, longterm, changes state (signals)
+timeout - spawner, longterm, changes state (signals)
 top - interactive, longterm
 touch - NOFORK
 tr - runner
diff --git a/console-tools/reset.c b/console-tools/reset.c
index 04e5b0c..f2b900d 100644
--- a/console-tools/reset.c
+++ b/console-tools/reset.c
@@ -16,7 +16,7 @@
 //config:	This program is used to reset the terminal screen, if it
 //config:	gets messed up.
 
-//applet:IF_RESET(APPLET(reset, BB_DIR_USR_BIN, BB_SUID_DROP))
+//applet:IF_RESET(APPLET_NOEXEC(reset, reset, BB_DIR_USR_BIN, BB_SUID_DROP, reset))
 
 //kbuild:lib-$(CONFIG_RESET) += reset.o
 
diff --git a/coreutils/chroot.c b/coreutils/chroot.c
index 5645d72..78751df 100644
--- a/coreutils/chroot.c
+++ b/coreutils/chroot.c
@@ -13,7 +13,7 @@
 //config:	chroot is used to change the root directory and run a command.
 //config:	The default command is '/bin/sh'.
 
-//applet:IF_CHROOT(APPLET(chroot, BB_DIR_USR_SBIN, BB_SUID_DROP))
+//applet:IF_CHROOT(APPLET_NOEXEC(chroot, chroot, BB_DIR_USR_SBIN, BB_SUID_DROP, chroot))
 
 //kbuild:lib-$(CONFIG_CHROOT) += chroot.o
 
@@ -40,6 +40,7 @@ int chroot_main(int argc UNUSED_PARAM, char **argv)
 	++argv;
 	if (!*argv)
 		bb_show_usage();
+
 	xchroot(*argv);
 
 	++argv;
diff --git a/coreutils/nice.c b/coreutils/nice.c
index 0bf0552..d6818cf 100644
--- a/coreutils/nice.c
+++ b/coreutils/nice.c
@@ -12,7 +12,7 @@
 //config:	help
 //config:	nice runs a program with modified scheduling priority.
 
-//applet:IF_NICE(APPLET(nice, BB_DIR_BIN, BB_SUID_DROP))
+//applet:IF_NICE(APPLET_NOEXEC(nice, nice, BB_DIR_BIN, BB_SUID_DROP, nice))
 
 //kbuild:lib-$(CONFIG_NICE) += nice.o
 
diff --git a/coreutils/nohup.c b/coreutils/nohup.c
index df271c7..8a70ec4 100644
--- a/coreutils/nohup.c
+++ b/coreutils/nohup.c
@@ -15,7 +15,7 @@
 //config:	help
 //config:	run a command immune to hangups, with output to a non-tty.
 
-//applet:IF_NOHUP(APPLET(nohup, BB_DIR_USR_BIN, BB_SUID_DROP))
+//applet:IF_NOHUP(APPLET_NOEXEC(nohup, nohup, BB_DIR_USR_BIN, BB_SUID_DROP, nohup))
 
 //kbuild:lib-$(CONFIG_NOHUP) += nohup.o
 
diff --git a/loginutils/sulogin.c b/loginutils/sulogin.c
index d5a463c..27ea5df 100644
--- a/loginutils/sulogin.c
+++ b/loginutils/sulogin.c
@@ -12,7 +12,7 @@
 //config:	sulogin is invoked when the system goes into single user
 //config:	mode (this is done through an entry in inittab).
 
-//applet:IF_SULOGIN(APPLET(sulogin, BB_DIR_SBIN, BB_SUID_DROP))
+//applet:IF_SULOGIN(APPLET_NOEXEC(sulogin, sulogin, BB_DIR_SBIN, BB_SUID_DROP, sulogin))
 
 //kbuild:lib-$(CONFIG_SULOGIN) += sulogin.o
 
@@ -34,7 +34,7 @@ int sulogin_main(int argc UNUSED_PARAM, char **argv)
 
 	/* Note: sulogin is not a suid app. It is meant to be run by init
 	 * for single user / emergency mode. init starts it as root.
-	 * Normal users (potentially malisious ones) can only run it under
+	 * Normal users (potentially malicious ones) can only run it under
 	 * their UID, therefore no paranoia here is warranted:
 	 * $LD_LIBRARY_PATH in env, TTY = /dev/sda
 	 * are no more dangerous here than in e.g. cp applet.
diff --git a/runit/chpst.c b/runit/chpst.c
index ccc9653..c061a91 100644
--- a/runit/chpst.c
+++ b/runit/chpst.c
@@ -59,12 +59,12 @@ ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 //config:	help
 //config:	Sets soft resource limits as specified by options
 
-//applet:IF_CHPST(APPLET(chpst, BB_DIR_USR_BIN, BB_SUID_DROP))
-//                    APPLET_ODDNAME:name       main   location        suid_type     help
-//applet:IF_ENVDIR(   APPLET_ODDNAME(envdir,    chpst, BB_DIR_USR_BIN, BB_SUID_DROP, envdir))
-//applet:IF_ENVUIDGID(APPLET_ODDNAME(envuidgid, chpst, BB_DIR_USR_BIN, BB_SUID_DROP, envuidgid))
-//applet:IF_SETUIDGID(APPLET_ODDNAME(setuidgid, chpst, BB_DIR_USR_BIN, BB_SUID_DROP, setuidgid))
-//applet:IF_SOFTLIMIT(APPLET_ODDNAME(softlimit, chpst, BB_DIR_USR_BIN, BB_SUID_DROP, softlimit))
+//applet:IF_CHPST(    APPLET_NOEXEC(chpst,     chpst, BB_DIR_USR_BIN, BB_SUID_DROP, chpst))
+//                    APPLET_NOEXEC:name       main   location        suid_type     help
+//applet:IF_ENVDIR(   APPLET_NOEXEC(envdir,    chpst, BB_DIR_USR_BIN, BB_SUID_DROP, envdir))
+//applet:IF_ENVUIDGID(APPLET_NOEXEC(envuidgid, chpst, BB_DIR_USR_BIN, BB_SUID_DROP, envuidgid))
+//applet:IF_SETUIDGID(APPLET_NOEXEC(setuidgid, chpst, BB_DIR_USR_BIN, BB_SUID_DROP, setuidgid))
+//applet:IF_SOFTLIMIT(APPLET_NOEXEC(softlimit, chpst, BB_DIR_USR_BIN, BB_SUID_DROP, softlimit))
 
 //kbuild:lib-$(CONFIG_CHPST) += chpst.o
 //kbuild:lib-$(CONFIG_ENVDIR) += chpst.o
diff --git a/shell/cttyhack.c b/shell/cttyhack.c
index 9004b47..849fe9e 100644
--- a/shell/cttyhack.c
+++ b/shell/cttyhack.c
@@ -6,7 +6,7 @@
  */
 #include "libbb.h"
 
-//applet:IF_CTTYHACK(APPLET(cttyhack, BB_DIR_BIN, BB_SUID_DROP))
+//applet:IF_CTTYHACK(APPLET_NOEXEC(cttyhack, cttyhack, BB_DIR_BIN, BB_SUID_DROP, cttyhack))
 
 //kbuild:lib-$(CONFIG_CTTYHACK) += cttyhack.o
 
diff --git a/util-linux/chrt.c b/util-linux/chrt.c
index 4bc8b6c..52523df 100644
--- a/util-linux/chrt.c
+++ b/util-linux/chrt.c
@@ -12,7 +12,7 @@
 //config:	manipulate real-time attributes of a process.
 //config:	This requires sched_{g,s}etparam support in your libc.
 
-//applet:IF_CHRT(APPLET(chrt, BB_DIR_USR_BIN, BB_SUID_DROP))
+//applet:IF_CHRT(APPLET_NOEXEC(chrt, chrt, BB_DIR_USR_BIN, BB_SUID_DROP, chrt))
 
 //kbuild:lib-$(CONFIG_CHRT) += chrt.o
 
diff --git a/util-linux/ionice.c b/util-linux/ionice.c
index c7b7f03..5b9664d 100644
--- a/util-linux/ionice.c
+++ b/util-linux/ionice.c
@@ -14,7 +14,7 @@
 //config:	Set/set program io scheduling class and priority
 //config:	Requires kernel >= 2.6.13
 
-//applet:IF_IONICE(APPLET(ionice, BB_DIR_BIN, BB_SUID_DROP))
+//applet:IF_IONICE(APPLET_NOEXEC(ionice, ionice, BB_DIR_BIN, BB_SUID_DROP, ionice))
 
 //kbuild:lib-$(CONFIG_IONICE) += ionice.o
 
diff --git a/util-linux/setarch.c b/util-linux/setarch.c
index d4b5688..5208653 100644
--- a/util-linux/setarch.c
+++ b/util-linux/setarch.c
@@ -30,10 +30,10 @@
 //config:	help
 //config:	Alias to "setarch linux64".
 
-//applet:IF_SETARCH(APPLET(setarch, BB_DIR_BIN, BB_SUID_DROP))
-//                  APPLET_ODDNAME:name     main     location    suid_type     help
-//applet:IF_LINUX32(APPLET_ODDNAME(linux32, setarch, BB_DIR_BIN, BB_SUID_DROP, linux32))
-//applet:IF_LINUX64(APPLET_ODDNAME(linux64, setarch, BB_DIR_BIN, BB_SUID_DROP, linux64))
+//applet:IF_SETARCH(APPLET_NOEXEC(setarch, setarch, BB_DIR_BIN, BB_SUID_DROP, setarch))
+//                  APPLET_NOEXEC:name     main     location    suid_type     help
+//applet:IF_LINUX32(APPLET_NOEXEC(linux32, setarch, BB_DIR_BIN, BB_SUID_DROP, linux32))
+//applet:IF_LINUX64(APPLET_NOEXEC(linux64, setarch, BB_DIR_BIN, BB_SUID_DROP, linux64))
 
 //kbuild:lib-$(CONFIG_SETARCH) += setarch.o
 //kbuild:lib-$(CONFIG_LINUX32) += setarch.o
diff --git a/util-linux/taskset.c b/util-linux/taskset.c
index 9957b1a..89dea17 100644
--- a/util-linux/taskset.c
+++ b/util-linux/taskset.c
@@ -22,7 +22,7 @@
 //config:	affinity parameter 0xHHHHHHHHHHHHHHHHHHHH can be arbitrarily long
 //config:	in this case. Otherwise, it is limited to sizeof(long).
 
-//applet:IF_TASKSET(APPLET(taskset, BB_DIR_USR_BIN, BB_SUID_DROP))
+//applet:IF_TASKSET(APPLET_NOEXEC(taskset, taskset, BB_DIR_USR_BIN, BB_SUID_DROP, taskset))
 //kbuild:lib-$(CONFIG_TASKSET) += taskset.o
 
 //usage:#define taskset_trivial_usage


More information about the busybox-cvs mailing list