Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 1 | Why an applet can't be NOFORK or NOEXEC? |
| 2 | |
| 3 | Why can't be NOFORK: |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 4 | interactive: may wait for user input, ^C has to work |
Denys Vlasenko | 7f9d62d | 2017-08-04 16:01:39 +0200 | [diff] [blame] | 5 | spawner: "tool PROG ARGS" which changes program state and execs - must fork |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 6 | changes state: e.g. environment, signal handlers |
Denys Vlasenko | 49e6bf2 | 2017-08-04 14:28:16 +0200 | [diff] [blame] | 7 | alloc+xfunc: xmalloc, then xfunc - leaks memory if xfunc dies |
| 8 | open+xfunc: opens fd, then calls xfunc - fd is leaked if xfunc dies |
Denys Vlasenko | 7f9d62d | 2017-08-04 16:01:39 +0200 | [diff] [blame] | 9 | leaks: does not free allocated memory or opened fds |
Denys Vlasenko | 39194f0 | 2017-08-03 19:00:01 +0200 | [diff] [blame] | 10 | runner: sometimes may run for long(ish) time, and/or works with network: |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 11 | ^C has to work (cat BIGFILE, chmod -R, ftpget, nc) |
| 12 | |
Denys Vlasenko | 7f9d62d | 2017-08-04 16:01:39 +0200 | [diff] [blame] | 13 | "runners" can become eligible after shell is taught ^C to interrupt NOFORKs, |
Denys Vlasenko | 74c05f5 | 2017-08-04 17:36:16 +0200 | [diff] [blame] | 14 | need to be inspected that they do not fall into alloc+xfunc, open+xfunc, |
| 15 | leak categories. |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 16 | |
| 17 | Why can't be NOEXEC: |
| 18 | suid: runs under different uid - must fork+exec |
| 19 | |
| 20 | Why shouldn't be NOFORK/NOEXEC: |
Denys Vlasenko | 7f9d62d | 2017-08-04 16:01:39 +0200 | [diff] [blame] | 21 | rare: not started often enough to bother optimizing (example: poweroff) |
| 22 | daemon: runs indefinitely; these are also always fit "rare" category |
Denys Vlasenko | 5c527dc | 2017-08-04 19:55:01 +0200 | [diff] [blame] | 23 | longterm: often runs for a long time (many seconds), execing makes |
Denys Vlasenko | 39194f0 | 2017-08-03 19:00:01 +0200 | [diff] [blame] | 24 | memory footprint smaller |
Denys Vlasenko | 7f9d62d | 2017-08-04 16:01:39 +0200 | [diff] [blame] | 25 | complex: no immediately obvious reason why NOFORK wouldn't work, |
Denys Vlasenko | 74c05f5 | 2017-08-04 17:36:16 +0200 | [diff] [blame] | 26 | but does some non-obvoius operations (example: fuser, lsof, losetup); |
| 27 | detailed audit often turns out that it's a leaker |
| 28 | |
| 29 | Interesting example of "interactive" applet which is nevertheless can be |
| 30 | (and is) NOEXEC is "rm". Yes, "rm -i" is interactive - but it's not that typical |
| 31 | for users to keep it waiting for many minutes, whereas running "rm" in shell |
| 32 | is very typical, and speeding up this common use via NOEXEC is useful. |
| 33 | IOW: rm is "interactive", but not "longterm". |
| 34 | |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 35 | |
| 36 | [ - NOFORK |
| 37 | [[ - NOFORK |
| 38 | acpid - daemon |
| 39 | add-shell |
| 40 | addgroup |
| 41 | adduser |
| 42 | adjtimex |
| 43 | ar - runner |
| 44 | arch - NOFORK |
Denys Vlasenko | 74c05f5 | 2017-08-04 17:36:16 +0200 | [diff] [blame] | 45 | arp - complex, rare |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 46 | arping - runner |
Denys Vlasenko | 74c05f5 | 2017-08-04 17:36:16 +0200 | [diff] [blame] | 47 | ash - interactive, longterm |
Denys Vlasenko | 39194f0 | 2017-08-03 19:00:01 +0200 | [diff] [blame] | 48 | awk - noexec. runner |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 49 | base64 - runner |
| 50 | basename - NOFORK |
| 51 | beep |
| 52 | blkdiscard |
| 53 | blkid |
Denys Vlasenko | 9f59849 | 2017-08-05 01:29:12 +0200 | [diff] [blame] | 54 | blockdev - noexec. leaks fd |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 55 | bootchartd - daemon |
| 56 | brctl |
| 57 | bunzip2 - runner |
| 58 | busybox |
| 59 | bzcat - runner |
| 60 | bzip2 - runner |
Denys Vlasenko | 39194f0 | 2017-08-03 19:00:01 +0200 | [diff] [blame] | 61 | cal - runner: cal -n9999 |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 62 | cat - runner |
Denys Vlasenko | 74c05f5 | 2017-08-04 17:36:16 +0200 | [diff] [blame] | 63 | chat - needs ^C to work |
Denys Vlasenko | 99125c0 | 2017-08-05 20:38:04 +0200 | [diff] [blame] | 64 | chattr - noexec. runner |
Denys Vlasenko | 39194f0 | 2017-08-03 19:00:01 +0200 | [diff] [blame] | 65 | chgrp - noexec. runner |
| 66 | chmod - noexec. runner |
| 67 | chown - noexec. runner |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 68 | chpasswd - runner (list of "user:password"s from stdin) |
Denys Vlasenko | 5c527dc | 2017-08-04 19:55:01 +0200 | [diff] [blame] | 69 | chpst - noexec. spawner |
| 70 | chroot - noexec. spawner |
| 71 | chrt - noexec. spawner |
Denys Vlasenko | ff53bee | 2017-08-05 02:02:31 +0200 | [diff] [blame] | 72 | chvt - noexec. leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds |
Denys Vlasenko | 39194f0 | 2017-08-03 19:00:01 +0200 | [diff] [blame] | 73 | cksum - noexec. runner |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 74 | clear - NOFORK |
| 75 | cmp - runner |
| 76 | comm - runner |
Denys Vlasenko | 83d7785 | 2017-08-04 17:59:46 +0200 | [diff] [blame] | 77 | conspy - interactive, longterm |
Denys Vlasenko | 39194f0 | 2017-08-03 19:00:01 +0200 | [diff] [blame] | 78 | cp - noexec. runner |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 79 | cpio - runner |
| 80 | crond - daemon |
Denys Vlasenko | 6514785 | 2017-08-04 19:16:01 +0200 | [diff] [blame] | 81 | crontab 0 leaks: open+xasprintf |
Denys Vlasenko | feb79e8 | 2017-08-05 02:08:23 +0200 | [diff] [blame] | 82 | cryptpw - noexec. changes state: with --password-fd=N, moves N to stdin |
Denys Vlasenko | 5c527dc | 2017-08-04 19:55:01 +0200 | [diff] [blame] | 83 | cttyhack - noexec. spawner |
Denys Vlasenko | 39194f0 | 2017-08-03 19:00:01 +0200 | [diff] [blame] | 84 | cut - noexec. runner |
| 85 | date - noexec. nofork candidate(needs to stop messing up env, free xasprintf result, not use xfuncs after xasprintf) |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 86 | dc - runner (eats stdin if no params) |
Denys Vlasenko | 39194f0 | 2017-08-03 19:00:01 +0200 | [diff] [blame] | 87 | dd - noexec. runner |
Denys Vlasenko | ff53bee | 2017-08-05 02:02:31 +0200 | [diff] [blame] | 88 | deallocvt - noexec. leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 89 | delgroup |
| 90 | deluser |
Denys Vlasenko | 74c05f5 | 2017-08-04 17:36:16 +0200 | [diff] [blame] | 91 | depmod - complex, rare |
Denys Vlasenko | 39194f0 | 2017-08-03 19:00:01 +0200 | [diff] [blame] | 92 | devmem - runner, complex (access to device memory may hang) |
Denys Vlasenko | 83d7785 | 2017-08-04 17:59:46 +0200 | [diff] [blame] | 93 | df - leaks: nested allocs |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 94 | dhcprelay - daemon |
| 95 | diff - runner |
| 96 | dirname - NOFORK |
Denys Vlasenko | 39194f0 | 2017-08-03 19:00:01 +0200 | [diff] [blame] | 97 | dmesg - runner |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 98 | dnsd - daemon |
Denys Vlasenko | 74c05f5 | 2017-08-04 17:36:16 +0200 | [diff] [blame] | 99 | dnsdomainname - needs ^C (may talk to DNS servers, which may be down) |
Denys Vlasenko | 39194f0 | 2017-08-03 19:00:01 +0200 | [diff] [blame] | 100 | dos2unix - noexec. runner |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 101 | dpkg - runner |
Denys Vlasenko | 39194f0 | 2017-08-03 19:00:01 +0200 | [diff] [blame] | 102 | du - runner |
Denys Vlasenko | ff53bee | 2017-08-05 02:02:31 +0200 | [diff] [blame] | 103 | dumpkmap - noexec. leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds |
Denys Vlasenko | 6514785 | 2017-08-04 19:16:01 +0200 | [diff] [blame] | 104 | dumpleases - leaks: open+xread |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 105 | echo - NOFORK |
Denys Vlasenko | 74c05f5 | 2017-08-04 17:36:16 +0200 | [diff] [blame] | 106 | ed - interactive, longterm |
| 107 | egrep - longterm runner ("CMD | egrep ..." may run indefinitely, better to exec to conserve memory) |
| 108 | eject - leaks: open+ioctl_or_perror_and_die, changes state (moves fds) |
Denys Vlasenko | 83d7785 | 2017-08-04 17:59:46 +0200 | [diff] [blame] | 109 | env - noexec. spawner, changes state (env) |
Denys Vlasenko | 5c527dc | 2017-08-04 19:55:01 +0200 | [diff] [blame] | 110 | envdir - noexec. spawner |
| 111 | envuidgid - noexec. spawner |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 112 | expand - runner |
Denys Vlasenko | 83d7785 | 2017-08-04 17:59:46 +0200 | [diff] [blame] | 113 | expr - leaks: nested allocs |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 114 | factor - runner (eats stdin if no params) |
| 115 | fakeidentd - daemon |
| 116 | false - NOFORK |
Denys Vlasenko | 83d7785 | 2017-08-04 17:59:46 +0200 | [diff] [blame] | 117 | fatattr - leaks: open+xioctl, complex |
Denys Vlasenko | 74c05f5 | 2017-08-04 17:36:16 +0200 | [diff] [blame] | 118 | fbset - leaks: open+xfunc, complex, rare |
| 119 | fbsplash - runner, longterm |
| 120 | fdflush - leaks: open+ioctl_or_perror_and_die, needs ^C (floppy may be unresponsive), rare |
| 121 | fdformat - needs ^C (floppy may be unresponsive), longterm, rare |
| 122 | fdisk - interactive, longterm |
Denys Vlasenko | ff53bee | 2017-08-05 02:02:31 +0200 | [diff] [blame] | 123 | fgconsole - noexec. leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds |
Denys Vlasenko | 74c05f5 | 2017-08-04 17:36:16 +0200 | [diff] [blame] | 124 | fgrep - longterm runner ("CMD | fgrep ..." may run indefinitely, better to exec to conserve memory) |
Denys Vlasenko | 39194f0 | 2017-08-03 19:00:01 +0200 | [diff] [blame] | 125 | find - noexec. runner |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 126 | findfs - suid |
| 127 | flash_eraseall |
| 128 | flash_lock |
| 129 | flash_unlock |
| 130 | flashcp |
Denys Vlasenko | 5c527dc | 2017-08-04 19:55:01 +0200 | [diff] [blame] | 131 | flock - spawner, changes state (file locks), let's play safe and not be noexec |
Denys Vlasenko | 39194f0 | 2017-08-03 19:00:01 +0200 | [diff] [blame] | 132 | fold - noexec. runner |
| 133 | free - nofork candidate(struct globals, needs to close /proc/meminfo fd) |
Denys Vlasenko | 74c05f5 | 2017-08-04 17:36:16 +0200 | [diff] [blame] | 134 | freeramdisk - leaks: open+ioctl_or_perror_and_die |
| 135 | fsck - interactive, longterm |
Denys Vlasenko | 6514785 | 2017-08-04 19:16:01 +0200 | [diff] [blame] | 136 | fsck.minix - needs ^C |
Denys Vlasenko | 9f59849 | 2017-08-05 01:29:12 +0200 | [diff] [blame] | 137 | fsfreeze - noexec. leaks: open+xioctl |
| 138 | fstrim - noexec. leaks: open+xioctl, find_block_device -> readdir+xstrdup |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 139 | fsync - NOFORK |
| 140 | ftpd - daemon |
| 141 | ftpget - runner |
| 142 | ftpput - runner |
| 143 | fuser - complex |
Denys Vlasenko | 83d7785 | 2017-08-04 17:59:46 +0200 | [diff] [blame] | 144 | getopt - noexec. leaks: many allocs |
Denys Vlasenko | 74c05f5 | 2017-08-04 17:36:16 +0200 | [diff] [blame] | 145 | getty - interactive, longterm |
| 146 | grep - longterm runner ("CMD | grep ..." may run indefinitely, better to exec to conserve memory) |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 147 | groups - noexec |
| 148 | gunzip - runner |
| 149 | gzip - runner |
| 150 | halt - rare |
Denys Vlasenko | 39194f0 | 2017-08-03 19:00:01 +0200 | [diff] [blame] | 151 | hd - noexec. runner |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 152 | hdparm - complex, rare |
Denys Vlasenko | 39194f0 | 2017-08-03 19:00:01 +0200 | [diff] [blame] | 153 | head - noexec. runner |
| 154 | hexdump - noexec. runner |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 155 | hostid - NOFORK |
Denys Vlasenko | 947b239 | 2017-08-04 18:36:55 +0200 | [diff] [blame] | 156 | hostname - needs ^C (may talk to DNS servers, which may be down) |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 157 | httpd - daemon |
Denys Vlasenko | 74c05f5 | 2017-08-04 17:36:16 +0200 | [diff] [blame] | 158 | hush - interactive, longterm |
Denys Vlasenko | 83d7785 | 2017-08-04 17:59:46 +0200 | [diff] [blame] | 159 | hwclock - talks to hardware (xioctl(RTC_RD_TIME)) - needs ^C |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 160 | i2cdetect |
| 161 | i2cdump |
| 162 | i2cget |
| 163 | i2cset |
| 164 | id - noexec |
Denys Vlasenko | 6514785 | 2017-08-04 19:16:01 +0200 | [diff] [blame] | 165 | ifconfig - leaks: xsocket+ioctl_or_perror_and_die |
| 166 | ifenslave - leaks: xsocket+bb_perror_msg_and_die |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 167 | ifplugd - daemon |
| 168 | inetd - daemon |
| 169 | init - daemon |
| 170 | inotifyd - daemon |
Denys Vlasenko | 3346b4a | 2017-08-04 02:56:39 +0200 | [diff] [blame] | 171 | insmod - noexec |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 172 | install - runner |
Denys Vlasenko | 5c527dc | 2017-08-04 19:55:01 +0200 | [diff] [blame] | 173 | ionice - noexec. spawner |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 174 | iostat - runner |
Denys Vlasenko | 72d725d | 2017-08-03 19:30:21 +0200 | [diff] [blame] | 175 | ip - noexec candidate |
| 176 | ipaddr - noexec candidate |
| 177 | ipcalc - noexec candidate |
| 178 | ipcrm - noexec candidate |
| 179 | ipcs - noexec candidate |
| 180 | iplink - noexec candidate |
| 181 | ipneigh - noexec candidate |
| 182 | iproute - noexec candidate |
| 183 | iprule - noexec candidate |
| 184 | iptunnel - noexec candidate |
Denys Vlasenko | 9a58cc0 | 2017-08-06 12:28:00 +0200 | [diff] [blame^] | 185 | kbd_mode - noexec. leaks: xopen_nonblocking+xioctl |
Denys Vlasenko | 39194f0 | 2017-08-03 19:00:01 +0200 | [diff] [blame] | 186 | kill - NOFORK |
| 187 | killall - NOFORK |
| 188 | killall5 - NOFORK |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 189 | klogd - daemon |
Denys Vlasenko | 39194f0 | 2017-08-03 19:00:01 +0200 | [diff] [blame] | 190 | last - runner (I've got 1300 lines of output when tried it) |
Denys Vlasenko | 74c05f5 | 2017-08-04 17:36:16 +0200 | [diff] [blame] | 191 | less - interactive, longterm |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 192 | link - NOFORK |
Denys Vlasenko | 5c527dc | 2017-08-04 19:55:01 +0200 | [diff] [blame] | 193 | linux32 - noexec. spawner |
| 194 | linux64 - noexec. spawner |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 195 | linuxrc - daemon |
| 196 | ln - noexec |
Denys Vlasenko | 6514785 | 2017-08-04 19:16:01 +0200 | [diff] [blame] | 197 | loadfont - leaks: config_open+bb_error_msg_and_die("map format") |
Denys Vlasenko | ff53bee | 2017-08-05 02:02:31 +0200 | [diff] [blame] | 198 | loadkmap - noexec. leaks: get_console_fd_or_die() may open a new fd, or return one of stdio fds |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 199 | logger - runner |
Denys Vlasenko | 74c05f5 | 2017-08-04 17:36:16 +0200 | [diff] [blame] | 200 | login - suid, interactive, longterm |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 201 | logname - NOFORK |
| 202 | losetup - complex |
| 203 | lpd - daemon |
| 204 | lpq - runner |
| 205 | lpr - runner |
Denys Vlasenko | 39194f0 | 2017-08-03 19:00:01 +0200 | [diff] [blame] | 206 | ls - noexec. runner |
Denys Vlasenko | 99125c0 | 2017-08-05 20:38:04 +0200 | [diff] [blame] | 207 | lsattr - noexec. runner |
Denys Vlasenko | 3346b4a | 2017-08-04 02:56:39 +0200 | [diff] [blame] | 208 | lsmod - noexec |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 209 | lsof - complex |
Denys Vlasenko | 3239ab8 | 2017-08-05 23:28:19 +0200 | [diff] [blame] | 210 | lspci - noexec. too rare to bother for nofork |
| 211 | lsscsi - noexec. too rare to bother for nofork |
| 212 | lsusb - noexec. too rare to bother for nofork |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 213 | lzcat - runner |
| 214 | lzma - runner |
| 215 | lzop - runner |
| 216 | lzopcat - runner |
| 217 | makedevs |
| 218 | makemime - runner |
Denys Vlasenko | 74c05f5 | 2017-08-04 17:36:16 +0200 | [diff] [blame] | 219 | man - spawner, interactive, longterm |
Denys Vlasenko | 39194f0 | 2017-08-03 19:00:01 +0200 | [diff] [blame] | 220 | md5sum - noexec. runner |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 221 | mdev - daemon |
Denys Vlasenko | 6514785 | 2017-08-04 19:16:01 +0200 | [diff] [blame] | 222 | mesg - NOFORK |
Denys Vlasenko | 74c05f5 | 2017-08-04 17:36:16 +0200 | [diff] [blame] | 223 | microcom - interactive, longterm |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 224 | mkdir - NOFORK |
Denys Vlasenko | 947b239 | 2017-08-04 18:36:55 +0200 | [diff] [blame] | 225 | mkdosfs - needs ^C |
| 226 | mke2fs - needs ^C |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 227 | mkfifo - noexec |
Denys Vlasenko | 947b239 | 2017-08-04 18:36:55 +0200 | [diff] [blame] | 228 | mkfs.ext2 - needs ^C |
| 229 | mkfs.minix - needs ^C |
| 230 | mkfs.vfat - needs ^C |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 231 | mknod - noexec |
Denys Vlasenko | feb79e8 | 2017-08-05 02:08:23 +0200 | [diff] [blame] | 232 | mkpasswd - noexec. changes state: with --password-fd=N, moves N to stdin |
Denys Vlasenko | 947b239 | 2017-08-04 18:36:55 +0200 | [diff] [blame] | 233 | mkswap - needs ^C |
Denys Vlasenko | 6bec24c | 2017-08-04 17:39:05 +0200 | [diff] [blame] | 234 | mktemp - noexec. leaks: xstrdup+concat_path_file |
Denys Vlasenko | 3346b4a | 2017-08-04 02:56:39 +0200 | [diff] [blame] | 235 | modinfo - noexec |
| 236 | modprobe - noexec |
Denys Vlasenko | 74c05f5 | 2017-08-04 17:36:16 +0200 | [diff] [blame] | 237 | more - interactive, longterm |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 238 | mount - suid |
Denys Vlasenko | 9f59849 | 2017-08-05 01:29:12 +0200 | [diff] [blame] | 239 | mountpoint - noexec. leaks: option -n "print dev name": find_block_device -> readdir+xstrdup |
Denys Vlasenko | 947b239 | 2017-08-04 18:36:55 +0200 | [diff] [blame] | 240 | mpstat - noexec candidate (it's a measuring tool, putting less load by itself is good), complex |
| 241 | mt - rare |
Denys Vlasenko | 6514785 | 2017-08-04 19:16:01 +0200 | [diff] [blame] | 242 | mv - noexec candidate, runner |
| 243 | nameif - leaks: config_open2+ioctl_or_perror_and_die |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 244 | nbd-client |
| 245 | nc - runner |
Denys Vlasenko | 39194f0 | 2017-08-03 19:00:01 +0200 | [diff] [blame] | 246 | netstat - runner with -c |
Denys Vlasenko | 692eeb8 | 2017-08-04 20:07:19 +0200 | [diff] [blame] | 247 | nice - noexec. spawner |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 248 | nl - runner |
Denys Vlasenko | 947b239 | 2017-08-04 18:36:55 +0200 | [diff] [blame] | 249 | nmeter - longterm |
Denys Vlasenko | 5c527dc | 2017-08-04 19:55:01 +0200 | [diff] [blame] | 250 | nohup - noexec. spawner |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 251 | nproc - NOFORK |
| 252 | ntpd - daemon |
| 253 | od - runner |
Denys Vlasenko | 5c527dc | 2017-08-04 19:55:01 +0200 | [diff] [blame] | 254 | openvt - longterm: spawns a child and waits for it |
Denys Vlasenko | 9c49d6e | 2017-08-05 01:46:39 +0200 | [diff] [blame] | 255 | partprobe - noexec. leaks: open+ioctl_or_perror_and_die(BLKRRPART) |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 256 | passwd - suid |
Denys Vlasenko | 39194f0 | 2017-08-03 19:00:01 +0200 | [diff] [blame] | 257 | paste - noexec. runner |
Denys Vlasenko | 947b239 | 2017-08-04 18:36:55 +0200 | [diff] [blame] | 258 | patch - needs ^C |
Denys Vlasenko | 39194f0 | 2017-08-03 19:00:01 +0200 | [diff] [blame] | 259 | pgrep - nofork candidate(xregcomp, procps_scan - are they ok?) |
| 260 | pidof - nofork candidate(uses find_pid_by_name, is that ok?) |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 261 | ping - suid, runner |
| 262 | ping6 - suid, runner |
Denys Vlasenko | 6514785 | 2017-08-04 19:16:01 +0200 | [diff] [blame] | 263 | pipe_progress - longterm |
Denys Vlasenko | fdb9235 | 2017-08-05 01:51:12 +0200 | [diff] [blame] | 264 | pivot_root - NOFORK |
Denys Vlasenko | 39194f0 | 2017-08-03 19:00:01 +0200 | [diff] [blame] | 265 | pkill - nofork candidate(xregcomp, procps_scan - are they ok?) |
Denys Vlasenko | 947b239 | 2017-08-04 18:36:55 +0200 | [diff] [blame] | 266 | pmap - noexec candidate, leaks: open+xstrdup |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 267 | popmaildir - runner |
| 268 | poweroff - rare |
Denys Vlasenko | 39194f0 | 2017-08-03 19:00:01 +0200 | [diff] [blame] | 269 | powertop - interactive, longterm |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 270 | printenv - NOFORK |
| 271 | printf - NOFORK |
Denys Vlasenko | 00c1811 | 2017-08-05 22:25:00 +0200 | [diff] [blame] | 272 | ps - looks for AT_CLKTCK elf aux vector, therefore can't be noexec |
Denys Vlasenko | 72d725d | 2017-08-03 19:30:21 +0200 | [diff] [blame] | 273 | pscan - longterm |
Denys Vlasenko | 00c1811 | 2017-08-05 22:25:00 +0200 | [diff] [blame] | 274 | pstree - noexec |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 275 | pwd - NOFORK |
Denys Vlasenko | 39194f0 | 2017-08-03 19:00:01 +0200 | [diff] [blame] | 276 | pwdx - NOFORK |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 277 | raidautorun |
Denys Vlasenko | 947b239 | 2017-08-04 18:36:55 +0200 | [diff] [blame] | 278 | rdate - needs ^C (may talk to DNS servers, which may be down) |
| 279 | rdev - leaks: find_block_device -> readdir+xstrdup |
Denys Vlasenko | 39194f0 | 2017-08-03 19:00:01 +0200 | [diff] [blame] | 280 | readlink - NOFORK |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 281 | readprofile |
Denys Vlasenko | 39194f0 | 2017-08-03 19:00:01 +0200 | [diff] [blame] | 282 | realpath - NOFORK |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 283 | reboot - rare |
| 284 | reformime - runner |
| 285 | remove-shell |
Denys Vlasenko | 39194f0 | 2017-08-03 19:00:01 +0200 | [diff] [blame] | 286 | renice - nofork candidate(uses getpwnam, is that ok?) |
Denys Vlasenko | 692eeb8 | 2017-08-04 20:07:19 +0200 | [diff] [blame] | 287 | reset - noexec. spawner (execs "stty") |
Denys Vlasenko | 39194f0 | 2017-08-03 19:00:01 +0200 | [diff] [blame] | 288 | resize - noexec. changes state (signal handlers) |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 289 | rev - runner |
Denys Vlasenko | 39194f0 | 2017-08-03 19:00:01 +0200 | [diff] [blame] | 290 | rm - noexec. rm -i interactive |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 291 | rmdir - NOFORK |
Denys Vlasenko | 3346b4a | 2017-08-04 02:56:39 +0200 | [diff] [blame] | 292 | rmmod - noexec |
Denys Vlasenko | 947b239 | 2017-08-04 18:36:55 +0200 | [diff] [blame] | 293 | route - needs ^C (may talk to DNS servers, which may be down) |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 294 | rpm - runner |
| 295 | rpm2cpio - runner |
Denys Vlasenko | 947b239 | 2017-08-04 18:36:55 +0200 | [diff] [blame] | 296 | rtcwake - longterm: puts system to sleep, optimizing this for speed is pointless |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 297 | run-parts |
Denys Vlasenko | 83d7785 | 2017-08-04 17:59:46 +0200 | [diff] [blame] | 298 | runlevel - noexec. can be nofork if "endutxent()" is called unconditionally, but too rare to bother? |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 299 | runsv - daemon |
| 300 | runsvdir - daemon |
| 301 | rx - runner |
| 302 | script |
| 303 | scriptreplay |
| 304 | sed - runner |
| 305 | sendmail - runner |
Denys Vlasenko | 39194f0 | 2017-08-03 19:00:01 +0200 | [diff] [blame] | 306 | seq - noexec. runner |
Denys Vlasenko | 5c527dc | 2017-08-04 19:55:01 +0200 | [diff] [blame] | 307 | setarch - noexec. spawner |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 308 | setconsole |
| 309 | setfont |
| 310 | setkeycodes |
| 311 | setlogcons |
Denys Vlasenko | 5c527dc | 2017-08-04 19:55:01 +0200 | [diff] [blame] | 312 | setpriv - spawner, changes state, let's play safe and not be noexec |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 313 | setserial |
Denys Vlasenko | 5c527dc | 2017-08-04 19:55:01 +0200 | [diff] [blame] | 314 | setsid - spawner, uses fork_or_rexec() [not audted to work in noexec], let's play safe and not be noexec |
| 315 | setuidgid - noexec. spawner |
Denys Vlasenko | 39194f0 | 2017-08-03 19:00:01 +0200 | [diff] [blame] | 316 | sha1sum - noexec. runner |
| 317 | sha256sum - noexec. runner |
| 318 | sha3sum - noexec. runner |
| 319 | sha512sum - noexec. runner |
Denys Vlasenko | 74c05f5 | 2017-08-04 17:36:16 +0200 | [diff] [blame] | 320 | showkey - interactive, longterm |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 321 | shred - runner |
Denys Vlasenko | 39194f0 | 2017-08-03 19:00:01 +0200 | [diff] [blame] | 322 | shuf - noexec. runner |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 323 | slattach |
Denys Vlasenko | 947b239 | 2017-08-04 18:36:55 +0200 | [diff] [blame] | 324 | sleep - runner, longterm |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 325 | smemcap - runner |
Denys Vlasenko | 5c527dc | 2017-08-04 19:55:01 +0200 | [diff] [blame] | 326 | softlimit - noexec. spawner |
Denys Vlasenko | 39194f0 | 2017-08-03 19:00:01 +0200 | [diff] [blame] | 327 | sort - noexec. runner |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 328 | split - runner |
Denys Vlasenko | 947b239 | 2017-08-04 18:36:55 +0200 | [diff] [blame] | 329 | ssl_client - longterm |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 330 | start-stop-daemon |
Denys Vlasenko | 39194f0 | 2017-08-03 19:00:01 +0200 | [diff] [blame] | 331 | stat - nofork candidate(needs fewer allocs) |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 332 | strings - runner |
Denys Vlasenko | 692eeb8 | 2017-08-04 20:07:19 +0200 | [diff] [blame] | 333 | stty - noexec. nofork candidate: has no allocs or opens except xmove_fd(xopen("-F DEVICE"),STDIN). tcsetattr(STDIN) is not a problem: it would work the same across processes sharing this fd |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 334 | su - suid, spawner |
Denys Vlasenko | 5c527dc | 2017-08-04 19:55:01 +0200 | [diff] [blame] | 335 | sulogin - noexec. spawner |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 336 | sum - runner |
Denys Vlasenko | a453ca5 | 2017-08-05 01:42:08 +0200 | [diff] [blame] | 337 | sv - noexec. needs ^C (uses usleep(420000)) |
| 338 | svc - noexec. needs ^C (uses usleep(420000)) |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 339 | svlogd - daemon |
| 340 | swapoff - rare |
| 341 | swapon - rare |
Denys Vlasenko | 5c527dc | 2017-08-04 19:55:01 +0200 | [diff] [blame] | 342 | switch_root - spawner, rare, changes state (oh yes), execing may be important to free binary's inode |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 343 | sync - NOFORK |
Denys Vlasenko | caf26b3 | 2017-08-05 18:23:10 +0200 | [diff] [blame] | 344 | sysctl - noexec. leaks: xstrdup+xmalloc_read |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 345 | syslogd - daemon |
Denys Vlasenko | 39194f0 | 2017-08-03 19:00:01 +0200 | [diff] [blame] | 346 | tac - noexec. runner |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 347 | tail - runner |
| 348 | tar - runner |
Denys Vlasenko | 5c527dc | 2017-08-04 19:55:01 +0200 | [diff] [blame] | 349 | taskset - noexec. spawner |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 350 | tcpsvd - daemon |
| 351 | tee - runner |
Denys Vlasenko | 74c05f5 | 2017-08-04 17:36:16 +0200 | [diff] [blame] | 352 | telnet - interactive, longterm |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 353 | telnetd - daemon |
| 354 | test - NOFORK |
| 355 | tftp - runner |
| 356 | tftpd - daemon |
Denys Vlasenko | 5c527dc | 2017-08-04 19:55:01 +0200 | [diff] [blame] | 357 | time - spawner, longterm, changes state (signals) |
| 358 | timeout - spawner, longterm, changes state (signals) |
Denys Vlasenko | 39194f0 | 2017-08-03 19:00:01 +0200 | [diff] [blame] | 359 | top - interactive, longterm |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 360 | touch - NOFORK |
| 361 | tr - runner |
| 362 | traceroute - suid, runner |
| 363 | traceroute6 - suid, runner |
| 364 | true - NOFORK |
| 365 | truncate - NOFORK |
| 366 | tty - NOFORK |
Denys Vlasenko | 39194f0 | 2017-08-03 19:00:01 +0200 | [diff] [blame] | 367 | ttysize - NOFORK |
Denys Vlasenko | 9a58cc0 | 2017-08-06 12:28:00 +0200 | [diff] [blame^] | 368 | tunctl - noexec |
Denys Vlasenko | 99125c0 | 2017-08-05 20:38:04 +0200 | [diff] [blame] | 369 | tune2fs - noexec. leaks: open+xfunc |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 370 | ubiattach |
| 371 | ubidetach |
| 372 | ubimkvol |
| 373 | ubirename |
| 374 | ubirmvol |
| 375 | ubirsvol |
| 376 | ubiupdatevol |
| 377 | udhcpc - daemon |
| 378 | udhcpd - daemon |
| 379 | udpsvd - daemon |
| 380 | uevent - daemon |
Denys Vlasenko | 83a6c8d | 2017-08-05 23:21:02 +0200 | [diff] [blame] | 381 | umount - noexec. leaks: nested xmalloc |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 382 | uname - NOFORK |
| 383 | uncompress - runner |
| 384 | unexpand - runner |
| 385 | uniq - runner |
Denys Vlasenko | 39194f0 | 2017-08-03 19:00:01 +0200 | [diff] [blame] | 386 | unix2dos - noexec. runner |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 387 | unlink - NOFORK |
| 388 | unlzma - runner |
| 389 | unlzop - runner |
| 390 | unxz - runner |
| 391 | unzip - runner |
Denys Vlasenko | 39194f0 | 2017-08-03 19:00:01 +0200 | [diff] [blame] | 392 | uptime - nofork candidate(is getutxent ok?) |
| 393 | users - nofork candidate(is getutxent ok?) |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 394 | usleep - NOFORK |
| 395 | uudecode - runner |
| 396 | uuencode - runner |
Denys Vlasenko | 74c05f5 | 2017-08-04 17:36:16 +0200 | [diff] [blame] | 397 | vconfig - leaks: xsocket+ioctl_or_perror_and_die |
| 398 | vi - interactive, longterm |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 399 | vlock - suid |
| 400 | volname - runner |
Denys Vlasenko | 6514785 | 2017-08-04 19:16:01 +0200 | [diff] [blame] | 401 | w - nofork candidate(is getutxent ok?) |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 402 | wall - suid |
Denys Vlasenko | 83d7785 | 2017-08-04 17:59:46 +0200 | [diff] [blame] | 403 | watch - longterm |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 404 | watchdog - daemon |
| 405 | wc - runner |
Denys Vlasenko | 83d7785 | 2017-08-04 17:59:46 +0200 | [diff] [blame] | 406 | wget - longterm |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 407 | which - NOFORK |
Denys Vlasenko | 6514785 | 2017-08-04 19:16:01 +0200 | [diff] [blame] | 408 | who - nofork candidate(is getutxent ok?) |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 409 | whoami - NOFORK |
Denys Vlasenko | 6514785 | 2017-08-04 19:16:01 +0200 | [diff] [blame] | 410 | whois - needs ^C |
Denys Vlasenko | 39194f0 | 2017-08-03 19:00:01 +0200 | [diff] [blame] | 411 | xargs - noexec. spawner |
| 412 | xxd - noexec. runner |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 413 | xz - runner |
| 414 | xzcat - runner |
Denys Vlasenko | 39194f0 | 2017-08-03 19:00:01 +0200 | [diff] [blame] | 415 | yes - noexec. runner |
Denys Vlasenko | 819b47a | 2017-08-03 03:29:32 +0200 | [diff] [blame] | 416 | zcat - runner |
| 417 | zcip - daemon |