Please detail your use case. GRUB already had user framework in the same
problem space.
Le mer. 24 janv. 2024, 09:27, Alec Brown a écrit :
> Added functionality to disable command line interface access and editing
> of GRUB
> menu entries if GRUB image is built with --disable-cli.
>
> Signed-off-by: Alec Brown
> ---
> docs/grub.texi | 6 --
> grub-core/kern/main.c | 28
> grub-core/kern/rescue_reader.c | 13 +
> grub-core/normal/auth.c| 3 +++
> grub-core/normal/menu_text.c | 31 +--
> include/grub/kernel.h | 3 ++-
> include/grub/misc.h| 2 ++
> include/grub/util/install.h| 8 ++--
> util/grub-install-common.c | 11 ---
> util/grub-mkimage.c| 9 -
> util/mkimage.c | 16 +++-
> 11 files changed, 106 insertions(+), 24 deletions(-)
>
> diff --git a/docs/grub.texi b/docs/grub.texi
> index a225f9a88..96ab17d5b 100644
> --- a/docs/grub.texi
> +++ b/docs/grub.texi
> @@ -6412,8 +6412,10 @@ the GRUB command line, edit menu entries, and
> execute any menu entry. If
> @samp{superusers} is set, then use of the command line and editing of menu
> entries are automatically restricted to superusers. Setting
> @samp{superusers}
> to empty string effectively disables both access to CLI and editing of
> menu
> -entries. Note: The environment variable needs to be exported to also
> affect
> -the section defined by the @samp{submenu} command (@pxref{submenu}).
> +entries. Building a grub image with @samp{--disable-cli} option will also
> +disable access to CLI and editing of menu entries, as well as disabling
> rescue
> +mode. Note: The environment variable needs to be exported to also affect
> the
> +section defined by the @samp{submenu} command (@pxref{submenu}).
>
> Other users may be allowed to execute specific menu entries by giving a
> list of
> usernames (as above) using the @option{--users} option to the
> diff --git a/grub-core/kern/main.c b/grub-core/kern/main.c
> index 731c07c29..30643164e 100644
> --- a/grub-core/kern/main.c
> +++ b/grub-core/kern/main.c
> @@ -30,11 +30,14 @@
> #include
> #include
> #include
> +#include
>
> #ifdef GRUB_MACHINE_PCBIOS
> #include
> #endif
>
> +static bool cli_disabled = false;
> +
> grub_addr_t
> grub_modules_get_end (void)
> {
> @@ -237,6 +240,28 @@ grub_load_normal_mode (void)
>grub_command_execute ("normal", 0, 0);
> }
>
> +bool
> +grub_is_cli_disabled (void)
> +{
> + return cli_disabled;
> +}
> +
> +static void
> +check_is_cli_disabled (void)
> +{
> + struct grub_module_header *header;
> + header = 0;
> +
> + FOR_MODULES (header)
> +{
> + if (header->type == OBJ_TYPE_DISABLE_CLI)
> + {
> + cli_disabled = true;
> + return;
> + }
> +}
> +}
> +
> static void
> reclaim_module_space (void)
> {
> @@ -294,6 +319,9 @@ grub_main (void)
>
>grub_boot_time ("After loading embedded modules.");
>
> + /* Check if the CLI should be disabled */
> + check_is_cli_disabled ();
> +
>/* It is better to set the root device as soon as possible,
> for convenience. */
>grub_set_prefix_and_root ();
> diff --git a/grub-core/kern/rescue_reader.c
> b/grub-core/kern/rescue_reader.c
> index dcd7d4439..4259857ba 100644
> --- a/grub-core/kern/rescue_reader.c
> +++ b/grub-core/kern/rescue_reader.c
> @@ -78,6 +78,19 @@ grub_rescue_read_line (char **line, int cont,
> void __attribute__ ((noreturn))
> grub_rescue_run (void)
> {
> + /* Stall if the CLI has been disabled */
> + if (grub_is_cli_disabled ())
> +{
> + grub_printf ("Rescue mode has been disabled...\n");
> +
> + do
> + {
> + /* Do not optimize out the loop. */
> + asm volatile ("");
> + }
> + while (1);
> +}
> +
>grub_printf ("Entering rescue mode...\n");
>
>while (1)
> diff --git a/grub-core/normal/auth.c b/grub-core/normal/auth.c
> index 517fc623f..d94020186 100644
> --- a/grub-core/normal/auth.c
> +++ b/grub-core/normal/auth.c
> @@ -209,6 +209,9 @@ grub_auth_check_authentication (const char *userlist)
>char entered[GRUB_AUTH_MAX_PASSLEN];
>struct grub_auth_user *user;
>
> + if (grub_is_cli_disabled ())
> +return GRUB_ACCESS_DENIED;
> +
>grub_memset (login, 0, sizeof (login));
>
>if (is_authenticated (userlist))
> diff --git a/grub-core/normal/menu_text.c b/grub-core/normal/menu_text.c
> index b1321eb26..9c383e64a 100644
> --- a/grub-core/normal/menu_text.c
> +++ b/grub-core/normal/menu_text.c
> @@ -178,21 +178,24 @@ command-line or ESC to discard edits and return to
> the GRUB menu."),
>
>grub_free (msg_translated);
>
> - if (nested)
> + if (!grub_is_cli_disabled ())
> {
> - ret += grub_print_message_indented_real
> - (_("Press enter to boot the selected OS, "
> - "`e' to edit the commands before booting "
> -