From 8c2cf1c36843a2eb1e52c29f20ef4167463189ec Mon Sep 17 00:00:00 2001
From: Javier Martinez Canillas <javierm@redhat.com>
Date: Wed, 30 Dec 2020 19:31:02 +0100
Subject: [PATCH] Add DNF protected.d fragments for GRUB packages

Users can unintentionally remove the grub2 packages and break their system
by deleting the bootloader. To prevent this mark them as protected by DNF.

Resolves: rhbz#1874541

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
---
 grub.macros | 13 +++++++++++++
 grub2.spec  |  2 ++
 2 files changed, 15 insertions(+)

diff --git a/grub.macros b/grub.macros
index 2643a7b..775787d 100644
--- a/grub.macros
+++ b/grub.macros
@@ -370,6 +370,14 @@ for x in grub-mkimage ; do					\\\
 done								\
 %{nil}
 
+%define do_install_protected_file()				\
+touch %{1}.conf							\
+echo %{1} > %{1}.conf						\
+install -d -m 755 ${RPM_BUILD_ROOT}/etc/dnf/protected.d/	\
+install -m 644 %{1}.conf ${RPM_BUILD_ROOT}/etc/dnf/protected.d/ \
+rm -f %{1}.conf							\
+%{nil}
+
 %ifarch x86_64 aarch64 %{arm} riscv64
 %define mkimage()						\
 %{4}./grub-mkimage -O %{1} -o %{2}.orig				\\\
@@ -483,6 +491,7 @@ find . '(' -iname gdb_grub					\\\
 find $RPM_BUILD_ROOT -type f -iname "*.mod*" -exec chmod a-x {} '\;'	\
 install -m 700 %{2} $RPM_BUILD_ROOT%{efi_esp_dir}/%{2}	\
 install -m 700 %{3} $RPM_BUILD_ROOT%{efi_esp_dir}/%{3} \
+%{expand:%%do_install_protected_file %{name}-%{alt_package_arch}} \
 cd ..								\
 %{nil}
 
@@ -510,6 +519,7 @@ ${RPM_BUILD_ROOT}/%{_bindir}/%{name}-editenv			\\\
 	${RPM_BUILD_ROOT}%{efi_esp_dir}/grubenv create		\
 ln -sf ../efi/EFI/%{efi_vendor}/grubenv				\\\
 	$RPM_BUILD_ROOT/boot/grub2/grubenv			\
+%{expand:%%do_install_protected_file %{name}-%{package_arch}}	\
 cd ..								\
 %{nil}
 
@@ -532,6 +542,7 @@ if [ %{3} -eq 0 ]; then						\
 	${RPM_BUILD_ROOT}/%{_bindir}/%{name}-editenv		\\\
 		${RPM_BUILD_ROOT}/boot/%{name}/grubenv create	\
 fi								\
+%{expand:%%do_install_protected_file %{name}-%{legacy_package_arch}} \
 cd ..								\
 %{nil}
 
@@ -579,6 +590,7 @@ touch ${RPM_BUILD_ROOT}/boot/%{name}/grub.cfg			\
 %config(noreplace) %{_sysconfdir}/%{name}.cfg			\
 %ghost %config(noreplace) /boot/%{name}/grub.cfg		\
 %dir %attr(0700,root,root)/boot/loader/entries			\
+%attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/%{name}-%{1}.conf \
 								\
 %{expand:%if 0%{?with_legacy_modules}				\
 %{expand:%%files %{1}-modules}					\
@@ -606,6 +618,7 @@ touch ${RPM_BUILD_ROOT}/boot/%{name}/grub.cfg			\
 %ghost %config(noreplace) %attr(0700,root,root)%{efi_esp_dir}/grub.cfg	\
 %config(noreplace) %verify(not size mode md5 mtime) /boot/grub2/grubenv	\
 %ghost %config(noreplace) %attr(0700,root,root)%{efi_esp_dir}/grubenv	\
+%attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/%{name}-%{1}.conf \
 %{expand:%if 0%{?without_efi_modules}				\
 %exclude %{_libdir}/grub/%{6}					\
 %exclude %{_libdir}/grub/%{6}/*					\
diff --git a/grub2.spec b/grub2.spec
index 8d12616..df31144 100644
--- a/grub2.spec
+++ b/grub2.spec
@@ -233,6 +233,7 @@ rm -vf ${RPM_BUILD_ROOT}/%{_bindir}/%{name}-render-label
 rm -vf ${RPM_BUILD_ROOT}/%{_sbindir}/%{name}-bios-setup
 rm -vf ${RPM_BUILD_ROOT}/%{_sbindir}/%{name}-macbless
 %endif
+%{expand:%%do_install_protected_file %{name}-tools-minimal}
 
 %find_lang grub
 
@@ -375,6 +376,7 @@ rm -r /boot/grub2.tmp/ || :
 %{_bindir}/%{name}-editenv
 %{_bindir}/%{name}-mkpasswd-pbkdf2
 %{_bindir}/%{name}-mount
+%attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/%{name}-tools-minimal.conf
 
 %{_datadir}/man/man3/%{name}-get-kernel-settings*
 %{_datadir}/man/man8/%{name}-set-default*