} flags;
} pakfire_fhs_check[] = {
// /usr
- { "/usr", S_IFDIR, 0755, "root", "root", 0 },
- { "/usr/bin", S_IFDIR, 0755, "root", "root", 0 },
- { "/usr/include", S_IFDIR, 0755, "root", "root", 0 },
- { "/usr/lib", S_IFDIR, 0755, "root", "root", 0 },
- { "/usr/lib64", S_IFDIR, 0755, "root", "root", 0 },
- { "/usr/sbin", S_IFDIR, 0755, "root", "root", 0 },
- { "/usr/share", S_IFDIR, 0755, "root", "root", 0 },
- { "/usr/src", S_IFDIR, 0755, "root", "root", 0 },
+ { "/usr", S_IFDIR, 0755, "root", "root", 0 },
+ { "/usr/bin", S_IFDIR, 0755, "root", "root", 0 },
+ { "/usr/include", S_IFDIR, 0755, "root", "root", 0 },
+ { "/usr/lib", S_IFDIR, 0755, "root", "root", 0 },
+ { "/usr/lib64", S_IFDIR, 0755, "root", "root", 0 },
+ { "/usr/sbin", S_IFDIR, 0755, "root", "root", 0 },
+ { "/usr/share", S_IFDIR, 0755, "root", "root", 0 },
+ { "/usr/src", S_IFDIR, 0755, "root", "root", 0 },
// Allow no further files in /usr & /usr/src
- { "/usr/*", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST },
- { "/usr/src/**", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST },
+ { "/usr/*", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST },
+ { "/usr/src/**", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST },
// There cannot be any subdirectories in /usr/bin & /usr/sbin
- { "/usr/bin/*", S_IFDIR, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST },
- { "/usr/sbin/*", S_IFDIR, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST },
+ { "/usr/bin/*", S_IFDIR, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST },
+ { "/usr/sbin/*", S_IFDIR, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST },
// Any files in /usr/{,s}bin must be owned by root and have 0755
- { "/usr/bin/*", S_IFREG, 0755, "root", "root", 0 },
- { "/usr/sbin/*", S_IFREG, 0755, "root", "root", 0 },
+ { "/usr/bin/*", S_IFREG, 0755, "root", "root", 0 },
+ { "/usr/sbin/*", S_IFREG, 0755, "root", "root", 0 },
// /usr/include: Ensure that:
// * All files are non-executable and belong to root
// * All directories have 0755 and belong to root
- { "/usr/include/**", S_IFREG, 0644, "root", "root", 0 },
- { "/usr/include/**", S_IFDIR, 0755, "root", "root", 0 },
+ { "/usr/include/**", S_IFREG, 0644, "root", "root", 0 },
+ { "/usr/include/**", S_IFDIR, 0755, "root", "root", 0 },
+
+ // Firmware must not be executable
+ { "/usr/lib/firmware/**", S_IFREG, 0644, "root", "root", 0 },
+ { "/usr/lib/firmware/**", S_IFDIR, 0755, "root", "root", 0 },
// /var
- { "/var", S_IFDIR, 0755, "root", "root", 0 },
- { "/var/cache", S_IFDIR, 0755, "root", "root", 0 },
- { "/var/db", S_IFDIR, 0755, "root", "root", 0 },
- { "/var/empty", S_IFDIR, 0755, "root", "root", 0 },
- { "/var/lib", S_IFDIR, 0755, "root", "root", 0 },
- { "/var/log", S_IFDIR, 0755, "root", "root", 0 },
- { "/var/mail", S_IFDIR, 0755, "root", "root", 0 },
- { "/var/opt", S_IFDIR, 0755, "root", "root", 0 },
- { "/var/run", S_IFLNK, 0755, "root", "root", 0 },
- { "/var/spool", S_IFDIR, 0755, "root", "root", 0 },
- { "/var/tmp", S_IFDIR, 0755, "root", "root", 0 },
+ { "/var", S_IFDIR, 0755, "root", "root", 0 },
+ { "/var/cache", S_IFDIR, 0755, "root", "root", 0 },
+ { "/var/db", S_IFDIR, 0755, "root", "root", 0 },
+ { "/var/empty", S_IFDIR, 0755, "root", "root", 0 },
+ { "/var/lib", S_IFDIR, 0755, "root", "root", 0 },
+ { "/var/log", S_IFDIR, 0755, "root", "root", 0 },
+ { "/var/mail", S_IFDIR, 0755, "root", "root", 0 },
+ { "/var/opt", S_IFDIR, 0755, "root", "root", 0 },
+ { "/var/run", S_IFLNK, 0755, "root", "root", 0 },
+ { "/var/spool", S_IFDIR, 0755, "root", "root", 0 },
+ { "/var/tmp", S_IFDIR, 0755, "root", "root", 0 },
// Do not allow any subdirectories in /var
- { "/var/*", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST },
- { "/var/empty/**", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST },
- { "/var/tmp/**", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST },
+ { "/var/*", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST },
+ { "/var/empty/**", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST },
+ { "/var/tmp/**", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST },
// /boot
- { "/boot", S_IFDIR, 0755, "root", "root", 0 },
- { "/boot/efi", S_IFDIR, 0755, "root", "root", 0 },
+ { "/boot", S_IFDIR, 0755, "root", "root", 0 },
+ { "/boot/efi", S_IFDIR, 0755, "root", "root", 0 },
// /dev (nothing may exist in it)
- { "/dev", S_IFDIR, 0755, "root", "root", 0 },
- { "/dev/**", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST },
+ { "/dev", S_IFDIR, 0755, "root", "root", 0 },
+ { "/dev/**", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST },
// /etc
- { "/etc", S_IFDIR, 0755, "root", "root", 0 },
+ { "/etc", S_IFDIR, 0755, "root", "root", 0 },
// /home
- { "/home", S_IFDIR, 0755, "root", "root", 0 },
- { "/home/**", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST },
+ { "/home", S_IFDIR, 0755, "root", "root", 0 },
+ { "/home/**", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST },
// /opt
- { "/opt", S_IFDIR, 0755, "root", "root", 0 },
+ { "/opt", S_IFDIR, 0755, "root", "root", 0 },
// These directories belong to the "local administrator"
// https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch03s13.html
- { "/opt/bin", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST },
- { "/opt/doc", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST },
- { "/opt/include", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST },
- { "/opt/info", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST },
- { "/opt/lib", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST },
- { "/opt/man", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST },
+ { "/opt/bin", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST },
+ { "/opt/doc", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST },
+ { "/opt/include", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST },
+ { "/opt/info", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST },
+ { "/opt/lib", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST },
+ { "/opt/man", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST },
// /proc
- { "/proc", S_IFDIR, 0755, "root", "root", 0 },
- { "/proc/**", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST },
+ { "/proc", S_IFDIR, 0755, "root", "root", 0 },
+ { "/proc/**", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST },
// /run
- { "/run", S_IFDIR, 0755, "root", "root", 0 },
- { "/run/**", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST },
+ { "/run", S_IFDIR, 0755, "root", "root", 0 },
+ { "/run/**", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST },
// /sys
- { "/sys", S_IFDIR, 0755, "root", "root", 0 },
- { "/sys/**", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST },
+ { "/sys", S_IFDIR, 0755, "root", "root", 0 },
+ { "/sys/**", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST },
// /tmp
- { "/tmp", S_IFDIR, 1755, "root", "root", 0 },
- { "/tmp/**", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST },
+ { "/tmp", S_IFDIR, 1755, "root", "root", 0 },
+ { "/tmp/**", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST },
// FHS Directories
- { "/media", S_IFDIR, 0755, "root", "root", 0 },
- { "/mnt", S_IFDIR, 0755, "root", "root", 0 },
- { "/srv", S_IFDIR, 0755, "root", "root", 0 },
+ { "/media", S_IFDIR, 0755, "root", "root", 0 },
+ { "/mnt", S_IFDIR, 0755, "root", "root", 0 },
+ { "/srv", S_IFDIR, 0755, "root", "root", 0 },
// /bin, /sbin, /lib, and /lib64 have to be symlinks
- { "/bin", S_IFLNK, 0777, NULL, NULL, 0 },
- { "/lib", S_IFLNK, 0777, NULL, NULL, 0 },
- { "/lib64", S_IFLNK, 0777, NULL, NULL, 0 },
- { "/sbin", S_IFLNK, 0777, NULL, NULL, 0 },
+ { "/bin", S_IFLNK, 0777, NULL, NULL, 0 },
+ { "/lib", S_IFLNK, 0777, NULL, NULL, 0 },
+ { "/lib64", S_IFLNK, 0777, NULL, NULL, 0 },
+ { "/sbin", S_IFLNK, 0777, NULL, NULL, 0 },
// There cannot be anything else in /
- { "/*", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST },
+ { "/*", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST },
// Catch all so that we won't throw an error
- { "/**", 0, 0, NULL, NULL, 0 },
+ { "/**", 0, 0, NULL, NULL, 0 },
// Sentinel
{ NULL },