Add DNF protected.d fragments for GRUB packages

Users can unintentionally remove the grub2 packages and break their system
by deleting the bootloader. To prevent this mark them as protected by DNF.

Resolves: rhbz#1874541

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
This commit is contained in:
Javier Martinez Canillas 2020-12-30 19:31:02 +01:00
parent c321e640dc
commit 8c2cf1c368
No known key found for this signature in database
GPG key ID: C751E590D63F3D69
2 changed files with 15 additions and 0 deletions

View file

@ -370,6 +370,14 @@ for x in grub-mkimage ; do \\\
done \
%{nil}
%define do_install_protected_file() \
touch %{1}.conf \
echo %{1} > %{1}.conf \
install -d -m 755 ${RPM_BUILD_ROOT}/etc/dnf/protected.d/ \
install -m 644 %{1}.conf ${RPM_BUILD_ROOT}/etc/dnf/protected.d/ \
rm -f %{1}.conf \
%{nil}
%ifarch x86_64 aarch64 %{arm} riscv64
%define mkimage() \
%{4}./grub-mkimage -O %{1} -o %{2}.orig \\\
@ -483,6 +491,7 @@ find . '(' -iname gdb_grub \\\
find $RPM_BUILD_ROOT -type f -iname "*.mod*" -exec chmod a-x {} '\;' \
install -m 700 %{2} $RPM_BUILD_ROOT%{efi_esp_dir}/%{2} \
install -m 700 %{3} $RPM_BUILD_ROOT%{efi_esp_dir}/%{3} \
%{expand:%%do_install_protected_file %{name}-%{alt_package_arch}} \
cd .. \
%{nil}
@ -510,6 +519,7 @@ ${RPM_BUILD_ROOT}/%{_bindir}/%{name}-editenv \\\
${RPM_BUILD_ROOT}%{efi_esp_dir}/grubenv create \
ln -sf ../efi/EFI/%{efi_vendor}/grubenv \\\
$RPM_BUILD_ROOT/boot/grub2/grubenv \
%{expand:%%do_install_protected_file %{name}-%{package_arch}} \
cd .. \
%{nil}
@ -532,6 +542,7 @@ if [ %{3} -eq 0 ]; then \
${RPM_BUILD_ROOT}/%{_bindir}/%{name}-editenv \\\
${RPM_BUILD_ROOT}/boot/%{name}/grubenv create \
fi \
%{expand:%%do_install_protected_file %{name}-%{legacy_package_arch}} \
cd .. \
%{nil}
@ -579,6 +590,7 @@ touch ${RPM_BUILD_ROOT}/boot/%{name}/grub.cfg \
%config(noreplace) %{_sysconfdir}/%{name}.cfg \
%ghost %config(noreplace) /boot/%{name}/grub.cfg \
%dir %attr(0700,root,root)/boot/loader/entries \
%attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/%{name}-%{1}.conf \
\
%{expand:%if 0%{?with_legacy_modules} \
%{expand:%%files %{1}-modules} \
@ -606,6 +618,7 @@ touch ${RPM_BUILD_ROOT}/boot/%{name}/grub.cfg \
%ghost %config(noreplace) %attr(0700,root,root)%{efi_esp_dir}/grub.cfg \
%config(noreplace) %verify(not size mode md5 mtime) /boot/grub2/grubenv \
%ghost %config(noreplace) %attr(0700,root,root)%{efi_esp_dir}/grubenv \
%attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/%{name}-%{1}.conf \
%{expand:%if 0%{?without_efi_modules} \
%exclude %{_libdir}/grub/%{6} \
%exclude %{_libdir}/grub/%{6}/* \

View file

@ -233,6 +233,7 @@ rm -vf ${RPM_BUILD_ROOT}/%{_bindir}/%{name}-render-label
rm -vf ${RPM_BUILD_ROOT}/%{_sbindir}/%{name}-bios-setup
rm -vf ${RPM_BUILD_ROOT}/%{_sbindir}/%{name}-macbless
%endif
%{expand:%%do_install_protected_file %{name}-tools-minimal}
%find_lang grub
@ -375,6 +376,7 @@ rm -r /boot/grub2.tmp/ || :
%{_bindir}/%{name}-editenv
%{_bindir}/%{name}-mkpasswd-pbkdf2
%{_bindir}/%{name}-mount
%attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/%{name}-tools-minimal.conf
%{_datadir}/man/man3/%{name}-get-kernel-settings*
%{_datadir}/man/man8/%{name}-set-default*