1 Why an applet can't be NOFORK or NOEXEC?
4 interactive: may wait for user input, ^C has to work
5 spawner: "tool PROG ARGS" which changes program state and execs - must fork
6 changes state: e.g. environment, signal handlers
7 leaks: does not free allocated memory or opened fds
8 alloc+xfunc: xmalloc, then xfunc - leaks memory if xfunc dies
9 open+xfunc: opens fd, then calls xfunc - fd is leaked if xfunc dies
10 runner: sometimes may run for long(ish) time, and/or works with network:
11 ^C has to work (cat BIGFILE, chmod -R, ftpget, nc)
13 "runners" can become eligible after shell is taught ^C to interrupt NOFORKs,
14 need to be inspected that they do not fall into alloc+xfunc, open+xfunc,
18 suid: runs under different uid - must fork+exec
19 if it's important that /proc/PID/cmdline and comm are correct.
20 ("pkill sh" killing itself before it kills real "sh" is no fun)
22 Why shouldn't be NOFORK/NOEXEC:
23 rare: not started often enough to bother optimizing (example: poweroff)
24 daemon: runs indefinitely; these are also always fit "rare" category
25 longterm: often runs for a long time (many seconds), execing makes
26 memory footprint smaller
27 complex: no immediately obvious reason why NOFORK wouldn't work,
28 but does some non-obvoius operations (example: fuser, lsof, losetup);
29 detailed audit often turns out that it's a leaker
30 hardware: performs unusual hardware ops which may take long,
31 or even hang due to hardware or firmware bugs
33 Interesting example of "interactive" applet which is nevertheless can be
34 (and is) NOEXEC is "rm". Yes, "rm -i" is interactive - but it's not that typical
35 for users to keep it waiting for many minutes, whereas running "rm" in shell
36 is very typical, and speeding up this common use via NOEXEC is useful.
37 IOW: rm is "interactive", but not "longterm".
43 add-shell - noexec. leaks: open+xfunc
44 addgroup - noexec. leaks
45 adduser - noexec. leaks
49 arp - runner, needs ^C: arp -n talks to DNS servers
51 ash - interactive, longterm
55 beep - longterm: beep -r 999999999
56 blkdiscard - noexec. leaks: open+xioctl
58 blockdev - noexec. leaks fd
64 cal - runner: cal -n9999
66 chat - needs ^C to work
67 chattr - noexec. runner
68 chgrp - noexec. runner
69 chmod - noexec. runner
70 chown - noexec. runner
71 chpasswd - runner (list of "user:password"s from stdin)
72 chpst - noexec. spawner
73 chroot - noexec. spawner
74 chrt - noexec. spawner
75 chvt - noexec. leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds
76 cksum - noexec. runner
80 conspy - interactive, longterm
84 crontab - longterm (runs $EDITOR), leaks: open+xasprintf
85 cryptpw - noexec. changes state: with --password-fd=N, moves N to stdin
86 cttyhack - noexec. spawner
88 date - noexec. nofork candidate(needs to stop messing up env, free xasprintf result, not use xfuncs after xasprintf)
89 dc - runner (eats stdin if no params)
91 deallocvt - noexec. leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds
92 delgroup - noexec. leaks
93 deluser - noexec. leaks
94 depmod - longterm(ish)
95 devmem - hardware (access to device memory may hang)
96 df - noexec. leaks: nested allocs
102 dnsdomainname - noexec. needs ^C (may talk to DNS servers, which may be down)
103 dos2unix - noexec. runner
106 dumpkmap - noexec. leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds
107 dumpleases - leaks: open+xread
109 ed - interactive, longterm
110 egrep - longterm runner ("CMD | egrep ..." may run indefinitely, better to exec to conserve memory)
111 eject - leaks: open+ioctl_or_perror_and_die, changes state (moves fds)
112 env - noexec. spawner, changes state (env)
113 envdir - noexec. spawner
114 envuidgid - noexec. spawner
116 expr - leaks: nested allocs
117 factor - runner (eats stdin if no params)
120 fatattr - noexec. leaks: open+xioctl, complex
121 fbset - hardware, leaks: open+xfunc
122 fbsplash - runner, longterm
123 fdflush - hardware, leaks: open+ioctl_or_perror_and_die
124 fdformat - hardware, needs ^C (floppy may be unresponsive), longterm
125 fdisk - interactive, longterm
126 fgconsole - noexec. leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds
127 fgrep - longterm runner ("CMD | fgrep ..." may run indefinitely, better to exec to conserve memory)
128 find - noexec. runner
130 flash_eraseall - hardware
131 flash_lock - hardware
132 flash_unlock - hardware
134 flock - spawner, changes state (file locks), let's play safe and not be noexec
135 fold - noexec. runner
136 free - noexec. nofork candidate(struct globals, needs to close /proc/meminfo fd)
137 freeramdisk - leaks: open+ioctl_or_perror_and_die
138 fsck - interactive, longterm
139 fsck.minix - needs ^C
140 fsfreeze - noexec. leaks: open+xioctl
141 fstrim - noexec. leaks: open+xioctl, find_block_device -> readdir+xstrdup
147 getopt - noexec. leaks: many allocs
148 getty - interactive, longterm
149 grep - longterm runner ("CMD | grep ..." may run indefinitely, better to exec to conserve memory)
156 head - noexec. runner
157 hexdump - noexec. runner
159 hostname - noexec. needs ^C (may talk to DNS servers, which may be down)
161 hush - interactive, longterm
162 hwclock - hardware (xioctl(RTC_RD_TIME))
168 ifconfig - hardware? (mem_start NN io_addr NN irq NN), leaks: xsocket+ioctl_or_perror_and_die
169 ifenslave - noexec. leaks: xsocket+bb_perror_msg_and_die
176 ionice - noexec. spawner
177 iostat - longterm: "iostat 1" runs indefinitely
178 ip - noexec candidate
179 ipaddr - noexec candidate
180 ipcalc - noexec candidate
181 ipcrm - noexec candidate
182 ipcs - noexec candidate
183 iplink - noexec candidate
184 ipneigh - noexec candidate
185 iproute - noexec candidate
186 iprule - noexec candidate
187 iptunnel - noexec candidate
188 kbd_mode - noexec. leaks: xopen_nonblocking+xioctl
193 last - runner (I've got 1300 lines of output when tried it)
194 less - interactive, longterm
196 linux32 - noexec. spawner
197 linux64 - noexec. spawner
200 loadfont - noexec. leaks: config_open+bb_error_msg_and_die("map format")
201 loadkmap - noexec. leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds
203 login - suid, interactive, longterm
205 losetup - noexec. complex
210 lsattr - noexec. runner
213 lspci - noexec. too rare to bother for nofork
214 lsscsi - noexec. too rare to bother for nofork
215 lsusb - noexec. too rare to bother for nofork
222 man - spawner, interactive, longterm
223 md5sum - noexec. runner
226 microcom - interactive, longterm
232 mkfs.minix - needs ^C
235 mkpasswd - noexec. changes state: with --password-fd=N, moves N to stdin
237 mktemp - noexec. leaks: xstrdup+concat_path_file
240 more - interactive, longterm
242 mountpoint - noexec. leaks: option -n "print dev name": find_block_device -> readdir+xstrdup
243 mpstat - longterm: "mpstat 1" runs indefinitely
245 mv - noexec candidate, runner
246 nameif - noexec. openlog(), leaks: config_open2+ioctl_or_perror_and_die
249 netstat - longterm with -c (continuous listing)
250 nice - noexec. spawner
253 nohup - noexec. spawner
257 openvt - longterm: spawns a child and waits for it
258 partprobe - noexec. leaks: open+ioctl_or_perror_and_die(BLKRRPART)
260 paste - noexec. runner
262 pgrep - must fork+exec to get correct /proc/PID/cmdline and comm field
263 pidof - must fork+exec to get correct /proc/PID/cmdline and comm field
264 ping - suid, longterm
265 ping6 - suid, longterm
266 pipe_progress - longterm
268 pkill - must fork+exec to get correct /proc/PID/cmdline and comm field
269 pmap - noexec candidate, leaks: open+xstrdup
272 powertop - interactive, longterm
275 ps - looks for AT_CLKTCK elf aux vector, therefore can't be noexec
280 raidautorun - noexec. very simple. leaks: open+xioctl
281 rdate - needs ^C (may talk to DNS servers, which may be down)
282 rdev - leaks: find_block_device -> readdir+xstrdup
284 readprofile - reads /boot/System.map and /proc/profile, better to free more memory by execing?
288 remove-shell - noexec. leaks: open+xfunc
289 renice - noexec. nofork candidate(uses getpwnam, is that ok?)
290 reset - noexec. spawner (execs "stty")
291 resize - noexec. changes state (signal handlers)
293 rm - noexec. rm -i interactive
296 route - needs ^C (may talk to DNS servers, which may be down)
299 rtcwake - longterm: puts system to sleep, optimizing this for speed is pointless
301 runlevel - noexec. can be nofork if "endutxent()" is called unconditionally, but too rare to bother?
305 script - longterm: pumps script output from slave pty
306 scriptreplay - longterm: plays back "script" saved output, sleeping as necessary.
310 setarch - noexec. spawner
312 setfont - noexec. leaks a lot of stuff
315 setpriv - spawner, changes state, let's play safe and not be noexec
317 setsid - spawner, uses fork_or_rexec() [not audited to work in noexec], let's play safe and not be noexec
318 setuidgid - noexec. spawner
319 sha1sum - noexec. runner
320 sha256sum - noexec. runner
321 sha3sum - noexec. runner
322 sha512sum - noexec. runner
323 showkey - interactive, longterm
325 shuf - noexec. runner
326 slattach - longterm (may sleep forever), uses bb_common_bufsiz1
327 sleep - runner, longterm
329 softlimit - noexec. spawner
330 sort - noexec. runner
332 ssl_client - longterm
333 start-stop-daemon - not noexec: uses bb_common_bufsiz1
334 stat - noexec. nofork candidate(needs fewer allocs)
336 stty - noexec. nofork candidate: has no allocs or opens except xmove_fd(xopen("-F DEVICE"),STDIN). tcsetattr(STDIN) is not a problem: it would work the same across processes sharing this fd
338 sulogin - noexec. spawner
340 sv - noexec. needs ^C (uses usleep(420000))
341 svc - noexec. needs ^C (uses usleep(420000))
343 swapoff - longterm: may cause memory pressure, execing is beneficial
345 switch_root - spawner, rare, changes state (oh yes), execing may be important to free binary's inode
347 sysctl - noexec. leaks: xstrdup+xmalloc_read
352 taskset - noexec. spawner
355 telnet - interactive, longterm
360 time - spawner, longterm, changes state (signals)
361 timeout - spawner, longterm, changes state (signals)
362 top - interactive, longterm
365 traceroute - suid, longterm
366 traceroute6 - suid, longterm
372 tune2fs - noexec. leaks: open+xfunc
379 ubiupdatevol - hardware
384 umount - noexec. leaks: nested xmalloc
389 unix2dos - noexec. runner
395 uptime - noexec. nofork candidate(is getutxent ok?)
396 users - noexec. nofork candidate(is getutxent ok?)
400 vconfig - leaks: xsocket+ioctl_or_perror_and_die
401 vi - interactive, longterm
403 volname - hardware (reads CDROM, this can take long-ish if need to spin up)
404 w - noexec. nofork candidate(is getutxent ok?)
411 who - noexec. nofork candidate(is getutxent ok?)
414 xargs - noexec. spawner