From 21bd82b0b15dd43916ec63550e888d86355cde66 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Fri, 17 Mar 2023 11:46:30 +0000 Subject: [PATCH] FHS: Ensure that firmware files are not executable Signed-off-by: Michael Tremer --- src/libpakfire/fhs.c | 126 ++++++++++++++++++++++--------------------- 1 file changed, 65 insertions(+), 61 deletions(-) diff --git a/src/libpakfire/fhs.c b/src/libpakfire/fhs.c index 281001abc..706e56c58 100644 --- a/src/libpakfire/fhs.c +++ b/src/libpakfire/fhs.c @@ -43,109 +43,113 @@ static const struct pakfire_fhs_check { } flags; } pakfire_fhs_check[] = { // /usr - { "/usr", S_IFDIR, 0755, "root", "root", 0 }, - { "/usr/bin", S_IFDIR, 0755, "root", "root", 0 }, - { "/usr/include", S_IFDIR, 0755, "root", "root", 0 }, - { "/usr/lib", S_IFDIR, 0755, "root", "root", 0 }, - { "/usr/lib64", S_IFDIR, 0755, "root", "root", 0 }, - { "/usr/sbin", S_IFDIR, 0755, "root", "root", 0 }, - { "/usr/share", S_IFDIR, 0755, "root", "root", 0 }, - { "/usr/src", S_IFDIR, 0755, "root", "root", 0 }, + { "/usr", S_IFDIR, 0755, "root", "root", 0 }, + { "/usr/bin", S_IFDIR, 0755, "root", "root", 0 }, + { "/usr/include", S_IFDIR, 0755, "root", "root", 0 }, + { "/usr/lib", S_IFDIR, 0755, "root", "root", 0 }, + { "/usr/lib64", S_IFDIR, 0755, "root", "root", 0 }, + { "/usr/sbin", S_IFDIR, 0755, "root", "root", 0 }, + { "/usr/share", S_IFDIR, 0755, "root", "root", 0 }, + { "/usr/src", S_IFDIR, 0755, "root", "root", 0 }, // Allow no further files in /usr & /usr/src - { "/usr/*", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST }, - { "/usr/src/**", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST }, + { "/usr/*", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST }, + { "/usr/src/**", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST }, // There cannot be any subdirectories in /usr/bin & /usr/sbin - { "/usr/bin/*", S_IFDIR, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST }, - { "/usr/sbin/*", S_IFDIR, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST }, + { "/usr/bin/*", S_IFDIR, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST }, + { "/usr/sbin/*", S_IFDIR, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST }, // Any files in /usr/{,s}bin must be owned by root and have 0755 - { "/usr/bin/*", S_IFREG, 0755, "root", "root", 0 }, - { "/usr/sbin/*", S_IFREG, 0755, "root", "root", 0 }, + { "/usr/bin/*", S_IFREG, 0755, "root", "root", 0 }, + { "/usr/sbin/*", S_IFREG, 0755, "root", "root", 0 }, // /usr/include: Ensure that: // * All files are non-executable and belong to root // * All directories have 0755 and belong to root - { "/usr/include/**", S_IFREG, 0644, "root", "root", 0 }, - { "/usr/include/**", S_IFDIR, 0755, "root", "root", 0 }, + { "/usr/include/**", S_IFREG, 0644, "root", "root", 0 }, + { "/usr/include/**", S_IFDIR, 0755, "root", "root", 0 }, + + // Firmware must not be executable + { "/usr/lib/firmware/**", S_IFREG, 0644, "root", "root", 0 }, + { "/usr/lib/firmware/**", S_IFDIR, 0755, "root", "root", 0 }, // /var - { "/var", S_IFDIR, 0755, "root", "root", 0 }, - { "/var/cache", S_IFDIR, 0755, "root", "root", 0 }, - { "/var/db", S_IFDIR, 0755, "root", "root", 0 }, - { "/var/empty", S_IFDIR, 0755, "root", "root", 0 }, - { "/var/lib", S_IFDIR, 0755, "root", "root", 0 }, - { "/var/log", S_IFDIR, 0755, "root", "root", 0 }, - { "/var/mail", S_IFDIR, 0755, "root", "root", 0 }, - { "/var/opt", S_IFDIR, 0755, "root", "root", 0 }, - { "/var/run", S_IFLNK, 0755, "root", "root", 0 }, - { "/var/spool", S_IFDIR, 0755, "root", "root", 0 }, - { "/var/tmp", S_IFDIR, 0755, "root", "root", 0 }, + { "/var", S_IFDIR, 0755, "root", "root", 0 }, + { "/var/cache", S_IFDIR, 0755, "root", "root", 0 }, + { "/var/db", S_IFDIR, 0755, "root", "root", 0 }, + { "/var/empty", S_IFDIR, 0755, "root", "root", 0 }, + { "/var/lib", S_IFDIR, 0755, "root", "root", 0 }, + { "/var/log", S_IFDIR, 0755, "root", "root", 0 }, + { "/var/mail", S_IFDIR, 0755, "root", "root", 0 }, + { "/var/opt", S_IFDIR, 0755, "root", "root", 0 }, + { "/var/run", S_IFLNK, 0755, "root", "root", 0 }, + { "/var/spool", S_IFDIR, 0755, "root", "root", 0 }, + { "/var/tmp", S_IFDIR, 0755, "root", "root", 0 }, // Do not allow any subdirectories in /var - { "/var/*", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST }, - { "/var/empty/**", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST }, - { "/var/tmp/**", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST }, + { "/var/*", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST }, + { "/var/empty/**", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST }, + { "/var/tmp/**", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST }, // /boot - { "/boot", S_IFDIR, 0755, "root", "root", 0 }, - { "/boot/efi", S_IFDIR, 0755, "root", "root", 0 }, + { "/boot", S_IFDIR, 0755, "root", "root", 0 }, + { "/boot/efi", S_IFDIR, 0755, "root", "root", 0 }, // /dev (nothing may exist in it) - { "/dev", S_IFDIR, 0755, "root", "root", 0 }, - { "/dev/**", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST }, + { "/dev", S_IFDIR, 0755, "root", "root", 0 }, + { "/dev/**", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST }, // /etc - { "/etc", S_IFDIR, 0755, "root", "root", 0 }, + { "/etc", S_IFDIR, 0755, "root", "root", 0 }, // /home - { "/home", S_IFDIR, 0755, "root", "root", 0 }, - { "/home/**", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST }, + { "/home", S_IFDIR, 0755, "root", "root", 0 }, + { "/home/**", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST }, // /opt - { "/opt", S_IFDIR, 0755, "root", "root", 0 }, + { "/opt", S_IFDIR, 0755, "root", "root", 0 }, // These directories belong to the "local administrator" // https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch03s13.html - { "/opt/bin", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST }, - { "/opt/doc", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST }, - { "/opt/include", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST }, - { "/opt/info", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST }, - { "/opt/lib", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST }, - { "/opt/man", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST }, + { "/opt/bin", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST }, + { "/opt/doc", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST }, + { "/opt/include", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST }, + { "/opt/info", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST }, + { "/opt/lib", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST }, + { "/opt/man", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST }, // /proc - { "/proc", S_IFDIR, 0755, "root", "root", 0 }, - { "/proc/**", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST }, + { "/proc", S_IFDIR, 0755, "root", "root", 0 }, + { "/proc/**", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST }, // /run - { "/run", S_IFDIR, 0755, "root", "root", 0 }, - { "/run/**", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST }, + { "/run", S_IFDIR, 0755, "root", "root", 0 }, + { "/run/**", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST }, // /sys - { "/sys", S_IFDIR, 0755, "root", "root", 0 }, - { "/sys/**", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST }, + { "/sys", S_IFDIR, 0755, "root", "root", 0 }, + { "/sys/**", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST }, // /tmp - { "/tmp", S_IFDIR, 1755, "root", "root", 0 }, - { "/tmp/**", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST }, + { "/tmp", S_IFDIR, 1755, "root", "root", 0 }, + { "/tmp/**", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST }, // FHS Directories - { "/media", S_IFDIR, 0755, "root", "root", 0 }, - { "/mnt", S_IFDIR, 0755, "root", "root", 0 }, - { "/srv", S_IFDIR, 0755, "root", "root", 0 }, + { "/media", S_IFDIR, 0755, "root", "root", 0 }, + { "/mnt", S_IFDIR, 0755, "root", "root", 0 }, + { "/srv", S_IFDIR, 0755, "root", "root", 0 }, // /bin, /sbin, /lib, and /lib64 have to be symlinks - { "/bin", S_IFLNK, 0777, NULL, NULL, 0 }, - { "/lib", S_IFLNK, 0777, NULL, NULL, 0 }, - { "/lib64", S_IFLNK, 0777, NULL, NULL, 0 }, - { "/sbin", S_IFLNK, 0777, NULL, NULL, 0 }, + { "/bin", S_IFLNK, 0777, NULL, NULL, 0 }, + { "/lib", S_IFLNK, 0777, NULL, NULL, 0 }, + { "/lib64", S_IFLNK, 0777, NULL, NULL, 0 }, + { "/sbin", S_IFLNK, 0777, NULL, NULL, 0 }, // There cannot be anything else in / - { "/*", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST }, + { "/*", 0, 0, NULL, NULL, PAKFIRE_FHS_MUSTNOTEXIST }, // Catch all so that we won't throw an error - { "/**", 0, 0, NULL, NULL, 0 }, + { "/**", 0, 0, NULL, NULL, 0 }, // Sentinel { NULL }, -- 2.39.5