From patchwork Tue Mar 28 08:55:21 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Schantl X-Patchwork-Id: 6729 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4Pm3Rj1JPCz3x2l for ; Tue, 28 Mar 2023 08:55:29 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4Pm3Rh3TzJzVp; Tue, 28 Mar 2023 08:55:28 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Pm3Rh3128z2y0y; Tue, 28 Mar 2023 08:55:28 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Pm3Rg4gV4z2xbt for ; Tue, 28 Mar 2023 08:55:27 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4Pm3Rg0gjgzLB; Tue, 28 Mar 2023 08:55:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1679993727; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=pSiYnYIJUYIu8ySZgDplxWG79jA4Cgzk3ub47LU/yaM=; b=CgPBVAmzgx+G0rIYrJH0synK8w508HZCLQQZraIur6AfG8T4LnKEsMHuAATRHI6jHC/Wza Ug8ltjpU1vXVx1UOLVHXZh8wbWvTZYVvmFAFcY86QU0bndFulI9Iq5aNCpMPt36znYTUdW zvy9k8trBgZkZ/UniCBMyuPvPZP/xhtXgBIemW8E6uLFUbNcV+KmArT6Vfmd8FRIhPgAGR sch9jqpzsjMaj2BgU1xe5ltErePyexPQP+fYS7Om3aR0w8yQrVj/3ieb+A0oLh+qeRIZz+ vEIMqBDEzC3H8eO8dIeVpeSrLHTb2ujmoZAVI/fuDwz31I/DiyNliygWXMIUIQ== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1679993727; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=pSiYnYIJUYIu8ySZgDplxWG79jA4Cgzk3ub47LU/yaM=; b=z81usW5NnGgJU42k0N+UZoTPbN4IftTTPeJQ4w+J8A+MzQwq52AIdh3RtgtcD8zT5W6no5 XnU6sJkZlEdz6fBw== From: Stefan Schantl To: pakfire@lists.ipfire.org Subject: [PATCH] Hardening: Declare content of /usr/lib/grub as firmware files Date: Tue, 28 Mar 2023 10:55:21 +0200 Message-Id: <20230328085521.92868-1-stefan.schantl@ipfire.org> MIME-Version: 1.0 X-BeenThere: pakfire@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Mailinglist for the Pakfire Build System." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: pakfire-bounces@lists.ipfire.org Sender: "Pakfire" This folder contains the neccessary files, which are written to the MBR, dealing with EFI, or loading additional required grub modules unless the whole grub menu can be displayed or a selected OS will start up. Some of these files are 32bit ELF files or do not have SSP etc. So I would suggest to mark them as firmware files and therefore skip some of the hardening tests. Signed-off-by: Stefan Schantl --- src/libpakfire/file.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/libpakfire/file.c b/src/libpakfire/file.c index 33e26fea..819587ef 100644 --- a/src/libpakfire/file.c +++ b/src/libpakfire/file.c @@ -1509,6 +1509,7 @@ static const struct pattern { { "*.pm", PAKFIRE_FILE_PERL }, { "*.pc", PAKFIRE_FILE_PKGCONFIG }, { "/usr/lib/firmware/*", PAKFIRE_FILE_FIRMWARE }, + { "/usr/lib/grub/*", PAKFIRE_FILE_FIRMWARE }, { "/usr/lib*/ld-*.so*", PAKFIRE_FILE_RUNTIME_LINKER }, { NULL }, };