nameif: make it NOEXEC

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>

diff --git a/NOFORK_NOEXEC.lst b/NOFORK_NOEXEC.lst
index 45b178ca8db67a86e0284d861911b78c75ed9596..9b33afc3238f515c50dc679f3a54b399673d58d2 100644 (file)
--- a/NOFORK_NOEXEC.lst
+++ b/NOFORK_NOEXEC.lst
@@ -237,10 +237,10 @@ modprobe - noexec
 more - interactive, longterm
 mount - suid
 mountpoint - noexec. leaks: option -n "print dev name": find_block_device -> readdir+xstrdup
-mpstat - noexec candidate (it's a measuring tool, putting less load by itself is good), complex
+mpstat - longterm: "mpstat 1" runs indefinitely
 mt - rare
 mv - noexec candidate, runner
-nameif - leaks: config_open2+ioctl_or_perror_and_die
+nameif - noexec. openlog(), leaks: config_open2+ioctl_or_perror_and_die
 nbd-client
 nc - runner
 netstat - runner with -c

diff --git a/networking/nameif.c b/networking/nameif.c
index 31ee98a39ba325a9d457d662f7b9c2de4acff17d..1f26954952961fad583ed08318af3131bf39b01d 100644 (file)
--- a/networking/nameif.c
+++ b/networking/nameif.c
@@ -40,7 +40,7 @@
 //config:              new_interface_name  mac=00:80:C8:38:91:B5
 //config:              new_interface_name  00:80:C8:38:91:B5
 
-//applet:IF_NAMEIF(APPLET(nameif, BB_DIR_SBIN, BB_SUID_DROP))
+//applet:IF_NAMEIF(APPLET_NOEXEC(nameif, nameif, BB_DIR_SBIN, BB_SUID_DROP, nameif))
 
 //kbuild:lib-$(CONFIG_NAMEIF) += nameif.o
 

diff --git a/procps/mpstat.c b/procps/mpstat.c
index 1eabd8e38fcabfaec2ae5faf5a92d2f6504f7bec..acaff4dc0453e55d0fb9bdc247d8cddb50bd0f2d 100644 (file)
--- a/procps/mpstat.c
+++ b/procps/mpstat.c
@@ -8,6 +8,7 @@
  */
 
 //applet:IF_MPSTAT(APPLET(mpstat, BB_DIR_BIN, BB_SUID_DROP))
+/* shouldn't be noexec: "mpstat INTERVAL" runs indefinitely */
 
 //kbuild:lib-$(CONFIG_MPSTAT) += mpstat.o