From: Stefan Schantl <stefan.schantl@ipfire.org>
Date: Tue, 28 Mar 2023 08:55:21 +0000 (+0200)
Subject: Hardening: Declare content of /usr/lib/grub as firmware files
X-Git-Tag: 0.9.29~209
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0e3f8ea032583ef8c3900e83678931429abc9e64;p=pakfire.git

Hardening: Declare content of /usr/lib/grub as firmware files

This folder contains the neccessary files, which are written to
the MBR, dealing with EFI, or loading additional required grub
modules unless the whole grub menu can be displayed or a selected
OS will start up.

Some of these files are 32bit ELF files or do not have SSP etc.

So I would suggest to mark them as firmware files and therefore
skip some of the hardening tests.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/src/libpakfire/file.c b/src/libpakfire/file.c
index 33e26fea8..819587ef0 100644
--- a/src/libpakfire/file.c
+++ b/src/libpakfire/file.c
@@ -1509,6 +1509,7 @@ static const struct pattern {
 	{ "*.pm", PAKFIRE_FILE_PERL },
 	{ "*.pc", PAKFIRE_FILE_PKGCONFIG },
 	{ "/usr/lib/firmware/*", PAKFIRE_FILE_FIRMWARE },
+	{ "/usr/lib/grub/*", PAKFIRE_FILE_FIRMWARE },
 	{ "/usr/lib*/ld-*.so*", PAKFIRE_FILE_RUNTIME_LINKER },
 	{ NULL },
 };