Skip to content

Fix logic errors and typos in grub-live hardener and boot scripts#5

Closed
assisted-by-ai wants to merge 2 commits intoKicksecure:masterfrom
assisted-by-ai:claude/find-bugs-zsHdS
Closed

Fix logic errors and typos in grub-live hardener and boot scripts#5
assisted-by-ai wants to merge 2 commits intoKicksecure:masterfrom
assisted-by-ai:claude/find-bugs-zsHdS

Conversation

@assisted-by-ai
Copy link
Copy Markdown

@assisted-by-ai assisted-by-ai commented Apr 3, 2026

Summary

This PR fixes several logic errors and typos in the grub-live hardener and boot configuration scripts that could affect live mode detection and system behavior.

Key Changes

  • Removed 'overlay' from nooverlay filesystem list in live-hardener: The 'overlay' filesystem type should not be in the list of filesystems to avoid overlaying, as this contradicts the intended behavior.

  • Fixed live mode detection logic in check_in_live_mode(): Split the compound conditional into two separate checks:

    • First checks if not in live mode (live_status_detected_live_mode_environment_machine = 'false') and exits cleanly
    • Then checks if in iso-live mode and exits cleanly
    • This prevents the logic from incorrectly handling the false case when combined with the iso-live regex check

  • Fixed array emptiness check in get_mount_list_to_harden(): Changed the logical operator from || (OR) to && (AND) when checking if the lsblk array is empty. The original logic would exit on error even when the array had valid elements.

  • Fixed typos in error messages:

    • Removed duplicate "but but" → "but" in dracut error messages (2 occurrences)
    • Updated outdated file path reference from /etc/grub.d/10_00_linux_dist to /etc/grub.d/10_50_linux_dist_advanced in error message

Notable Details

These changes correct logic flow issues that could cause the hardener to behave unexpectedly during live mode detection and mount list processing, while also improving error message accuracy.

https://claude.ai/code/session_01Ew2y3KFm82wjaxzgCBAi12

claude added 2 commits April 3, 2026 10:21
@claude
Fix bugs: wrong error message, misleading log, typo, dead code
30b1c5f 
- Fix error message in 10_60_linux_live_advanced referencing wrong file
  (10_00_linux_dist instead of 10_50_linux_dist_advanced)
- Fix misleading "iso-live mode detected" log when system is simply not
  in live mode
- Fix "but but" typo in both GRUB scripts
- Remove unreachable 'overlay' entry from fs_type_nooverlay_list (already
  in fs_type_whitelist which is checked first)

https://claude.ai/code/session_01Ew2y3KFm82wjaxzgCBAi12
@claude
Fix lsblk_raw_list validation using || instead of &&
a5dd05d 
The empty-check for lsblk_raw_list used || (OR), causing a spurious
error on single-disk systems. The two analogous checks in the same
file (proc_mount_path_list and lsblk_path_list) correctly use &&.

https://claude.ai/code/session_01Ew2y3KFm82wjaxzgCBAi12
ArrayBolt3
ArrayBolt3 reviewed Apr 10, 2026
View reviewed changes
Copy link
Copy Markdown

@ArrayBolt3 ArrayBolt3 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Accepted with tweaks in ArrayBolt3@c881ee4.

Comment thread etc/grub.d/10_20_linux_live
if ! test -x /usr/lib/dracut/modules.d/90overlay-root/overlay-mount.sh ; then
echo "\
grub-live $0: ERROR: It has been detected that this system is using dracut but but file /usr/lib/dracut/modules.d/90overlay-root/overlay-mount.sh is not executable. This means that no live mode boot menu entry will be added.
grub-live $0: ERROR: It has been detected that this system is using dracut but file /usr/lib/dracut/modules.d/90overlay-root/overlay-mount.sh is not executable. This means that no live mode boot menu entry will be added.
Copy link
Copy Markdown

@ArrayBolt3 ArrayBolt3 Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Accepted.

Comment thread etc/grub.d/10_60_linux_live_advanced
if ! test -x /usr/lib/dracut/modules.d/90overlay-root/overlay-mount.sh ; then
echo "\
grub-live $0: ERROR: It has been detected that this system is using dracut but but file /usr/lib/dracut/modules.d/90overlay-root/overlay-mount.sh is not executable. This means that no live mode boot menu entry will be added.
grub-live $0: ERROR: It has been detected that this system is using dracut but file /usr/lib/dracut/modules.d/90overlay-root/overlay-mount.sh is not executable. This means that no live mode boot menu entry will be added.
Copy link
Copy Markdown

@ArrayBolt3 ArrayBolt3 Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Accepted.

Comment thread etc/grub.d/10_60_linux_live_advanced
else
echo "\
grub-live $0: ERROR: Neither file '/etc/grub.d/10_00_linux_dist' (package: 'dist-base-files') nor file '/etc/grub.d/10_linux' (package: 'grub-common') exists. This means that no live mode boot menu entry will be added.
grub-live $0: ERROR: Neither file '/etc/grub.d/10_50_linux_dist_advanced' (package: 'dist-base-files') nor file '/etc/grub.d/10_linux' (package: 'grub-common') exists. This means that no live mode boot menu entry will be added.
Copy link
Copy Markdown

@ArrayBolt3 ArrayBolt3 Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Accepted.

Comment thread usr/libexec/grub-live/live-hardener
'iso9660'
'jfs'
'vfat'
'overlay'
Copy link
Copy Markdown

@ArrayBolt3 ArrayBolt3 Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Accepted. (I tried removing 'overlay' from the whitelist instead but that resulted in / being remounted read-only.)

Comment thread usr/libexec/grub-live/live-hardener
Comment on lines -159 to +162
if [ "${live_status_detected_live_mode_environment_machine}" = 'false' ] \
|| [[ "${live_status_detected_live_mode_environment_machine}" =~ ^iso-live ]]; then
if [ "${live_status_detected_live_mode_environment_machine}" = 'false' ]; then
printf "%s\n" "$0: INFO: Not in live mode, exiting, ok."
exit 0
fi
if [[ "${live_status_detected_live_mode_environment_machine}" =~ ^iso-live ]]; then
Copy link
Copy Markdown

@ArrayBolt3 ArrayBolt3 Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Accepted with a minor tweak (using if/elif/fi rather than if/fi/if/fi).

Comment thread usr/libexec/grub-live/live-hardener
Comment on lines -266 to +268
|| [ -z "${lsblk_raw_list[0]:-}" ]; then
&& [ -z "${lsblk_raw_list[0]:-}" ]; then
Copy link
Copy Markdown

@ArrayBolt3 ArrayBolt3 Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Technically this correction is the right way to check for contents in a readarray-populated array, but in this instance it would be more correct to just check if the first element is empty or nonexistent.

@adrelanos adrelanos closed this Apr 10, 2026
@assisted-by-ai assisted-by-ai mentioned this pull request Apr 27, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@ArrayBolt3 ArrayBolt3 ArrayBolt3 left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@assisted-by-ai @ArrayBolt3 @adrelanos @claude