mkconfig: More hardening to prevent overwriting grub cfg stub

Simplified os detection and remove mountpoint to accommodate
hybrid VMs

Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
This commit is contained in:
Nicolas Frayer 2024-08-06 12:29:47 +02:00
parent ab7ed2db6e
commit dd5f2023b0
5 changed files with 62 additions and 41 deletions

View file

@ -0,0 +1,27 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Andrew Lukoshko <alukoshko@almalinux.org>
Date: Wed, 31 Jul 2024 16:06:10 +0000
Subject: [PATCH] grub2-mkconfig: Simplify os_name detection
---
util/grub-mkconfig.in | 7 +------
1 file changed, 1 insertion(+), 6 deletions(-)
diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
index efa36cc45a69..8b7883072e46 100644
--- a/util/grub-mkconfig.in
+++ b/util/grub-mkconfig.in
@@ -109,12 +109,7 @@ do
esac
done
-os_name=$(grep '^ID=' /etc/os-release | sed 's/ID=//')
-if test "$os_name" = '"rhel"'; then
- os_name=redhat
-elif test "$os_name" = '"centos"'; then
- os_name=centos
-fi
+os_name=$(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/' -e 's/\"//g')
if test "x${grub_cfg}" = "x/boot/efi/EFI/$os_name/grub.cfg" &&\
mountpoint -q /boot/efi; then
gettext_printf "Running \`grub2-mkconfig -o %s' will overwrite the GRUB wrapper.\n" "$grub_cfg" 1>&2

View file

@ -0,0 +1,29 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Nicolas Frayer <nfrayer@redhat.com>
Date: Thu, 1 Aug 2024 11:13:20 +0200
Subject: [PATCH] grub/mkconfig: Remove check for mount point for grub cfg stub
Remove mountpoint when checking whether or not the grub cfg stub
exists and add -s to the test. This should cover scenarios where
the ESP doesn't have a seperate partition but still uses a grub
cfg stub
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
---
util/grub-mkconfig.in | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
index 8b7883072e46..31a72a39e0cf 100644
--- a/util/grub-mkconfig.in
+++ b/util/grub-mkconfig.in
@@ -110,8 +110,7 @@ do
done
os_name=$(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/' -e 's/\"//g')
-if test "x${grub_cfg}" = "x/boot/efi/EFI/$os_name/grub.cfg" &&\
- mountpoint -q /boot/efi; then
+if test -s "${grub_cfg}" && test "x${grub_cfg}" = "x/boot/efi/EFI/$os_name/grub.cfg"; then
gettext_printf "Running \`grub2-mkconfig -o %s' will overwrite the GRUB wrapper.\n" "$grub_cfg" 1>&2
gettext_printf "Please run \`grub2-mkconfig -o /boot/grub2/grub.cfg' instead to update grub.cfg.\n" 1>&2
gettext_printf "GRUB configuration file was not updated.\n" 1>&2

View file

@ -1,40 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Nicolas Frayer <nfrayer@redhat.com>
Date: Tue, 16 Jul 2024 11:11:43 +0200
Subject: [PATCH] grub2-mkconfig: Ensure grub cfg stub is not overwritten
/boot/efi/EFI/$os_name/grub.cfg contains a grub cfg stub
that should not be overwritten by grub2-mkconfig.
Ensure that we prevent this from happening.
Signed-off-by: Marta Lewandowska <mlewando@redhat.com>
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
---
util/grub-mkconfig.in | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
index fb382b648b87..efa36cc45a69 100644
--- a/util/grub-mkconfig.in
+++ b/util/grub-mkconfig.in
@@ -109,6 +109,20 @@ do
esac
done
+os_name=$(grep '^ID=' /etc/os-release | sed 's/ID=//')
+if test "$os_name" = '"rhel"'; then
+ os_name=redhat
+elif test "$os_name" = '"centos"'; then
+ os_name=centos
+fi
+if test "x${grub_cfg}" = "x/boot/efi/EFI/$os_name/grub.cfg" &&\
+ mountpoint -q /boot/efi; then
+ gettext_printf "Running \`grub2-mkconfig -o %s' will overwrite the GRUB wrapper.\n" "$grub_cfg" 1>&2
+ gettext_printf "Please run \`grub2-mkconfig -o /boot/grub2/grub.cfg' instead to update grub.cfg.\n" 1>&2
+ gettext_printf "GRUB configuration file was not updated.\n" 1>&2
+ exit 1
+fi
+
if [ "x$EUID" = "x" ] ; then
EUID=`id -u`
fi

View file

@ -269,3 +269,5 @@ Patch0268: 0268-Set-non-executable-stack-sections-on-EFI-assembly-fi.patch
Patch0269: 0269-grub-mkconfig.in-turn-off-executable-owner-bit.patch
Patch0270: 0270-kern-ieee1275-init-Add-IEEE-1275-Radix-support-for-K.patch
Patch0271: 0271-grub2-mkconfig-Ensure-grub-cfg-stub-is-not-overwritt.patch
Patch0272: 0272-grub2-mkconfig-Simplify-os_name-detection.patch
Patch0273: 0273-grub-mkconfig-Remove-check-for-mount-point-for-grub-.patch

View file

@ -17,7 +17,7 @@
Name: grub2
Epoch: 1
Version: 2.12
Release: 1%{?dist}
Release: 2%{?dist}
Summary: Bootloader with support for Linux, Multiboot and more
License: GPL-3.0-or-later
URL: http://www.gnu.org/software/grub/
@ -560,6 +560,9 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg
%endif
%changelog
* Tue Aug 6 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.12-2
- mkconfig: More hardening to prevent overwriting grub cfg stub
* Mon Aug 5 2024 Leo Sandoval <lsandova@redhat.com> - 2.12-1
- Rebased to release grub2-2.12