cukinia: security: check /boot only readable by root

Follows ANSI-BP28-R29

Signed-off-by: Enguerrand de Ribaucourt <[email protected]>

recipes-cukinia-tests/cukinia-tests/files/update_tests.d/bootloader.conf

@@ -5,7 +5,14 @@ cukinia_log "$(_colorize yellow "--- check bootloader hardening ---")"
 
 /usr/share/update/mount_boot.sh mount
 
+boot_mounted() { mountpoint -q /boot; }
+
+when "boot_mounted" \
 id "SEAPATH-00007" as "grub password is set" cukinia_cmd \
     grep -q '^password_pbkdf2 root grub.pbkdf2' /boot/EFI/BOOT/grub.cfg
 
-/usr/share/update/mount_boot.sh umount
+when "boot_mounted" \
+id "SEAPATH-00077" as "boot partition is only readable by root" cukinia_test \
+    "$(stat -c "%a %U %G" /boot)" == "750 root root"
+
+/usr/share/update/mount_boot.sh umount 2>/dev/null