From c09dd1ed2438efb62c52fd46990e4d9e358b3869 Mon Sep 17 00:00:00 2001
From: Enguerrand de Ribaucourt <enguerrand.de-ribaucourt@savoirfairelinux.com>
Date: Mon, 9 Dec 2024 14:12:18 +0100
Subject: [PATCH] cukinia: security: check /boot only readable by root

Follows ANSI-BP28-R29

Signed-off-by: Enguerrand de Ribaucourt <enguerrand.de-ribaucourt@savoirfairelinux.com>
---
 .../cukinia-tests/files/update_tests.d/bootloader.conf   | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/recipes-cukinia-tests/cukinia-tests/files/update_tests.d/bootloader.conf b/recipes-cukinia-tests/cukinia-tests/files/update_tests.d/bootloader.conf
index c893c3ca..a60e3a86 100644
--- a/recipes-cukinia-tests/cukinia-tests/files/update_tests.d/bootloader.conf
+++ b/recipes-cukinia-tests/cukinia-tests/files/update_tests.d/bootloader.conf
@@ -5,7 +5,14 @@ cukinia_log "$(_colorize yellow "--- check bootloader hardening ---")"
 
 /usr/share/update/mount_boot.sh mount
 
+boot_mounted() { mountpoint -q /boot; }
+
+when "boot_mounted" \
 id "SEAPATH-00007" as "grub password is set" cukinia_cmd \
     grep -q '^password_pbkdf2 root grub.pbkdf2' /boot/EFI/BOOT/grub.cfg
 
-/usr/share/update/mount_boot.sh umount
+when "boot_mounted" \
+id "SEAPATH-00077" as "boot partition is only readable by root" cukinia_test \
+    "$(stat -c "%a %U %G" /boot)" == "750 root root"
+
+/usr/share/update/mount_boot.sh umount 2>/dev/null