Re: [PATCH] cli_lock: Added build option to block command line interface
On Wed, Jan 24, 2024 at 06:26:37AM +, Alec Brown wrote: > Added functionality to disable command line interface access and editing of > GRUB > menu entries if GRUB image is built with --disable-cli. > > Signed-off-by: Alec Brown Reviewed-by: Daniel Kiper Daniel ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
Re: [PATCH] cli_lock: Added build option to block command line interface
Reviewed-By: Vladimir Serbinenko
On Wed, Jan 24, 2024 at 9:27 AM Alec Brown wrote:
>
> Added functionality to disable command line interface access and editing of
> GRUB
> menu entries if GRUB image is built with --disable-cli.
>
> Signed-off-by: Alec Brown
> ---
> docs/grub.texi | 6 --
> grub-core/kern/main.c | 28
> grub-core/kern/rescue_reader.c | 13 +
> grub-core/normal/auth.c| 3 +++
> grub-core/normal/menu_text.c | 31 +--
> include/grub/kernel.h | 3 ++-
> include/grub/misc.h| 2 ++
> include/grub/util/install.h| 8 ++--
> util/grub-install-common.c | 11 ---
> util/grub-mkimage.c| 9 -
> util/mkimage.c | 16 +++-
> 11 files changed, 106 insertions(+), 24 deletions(-)
>
> diff --git a/docs/grub.texi b/docs/grub.texi
> index a225f9a88..96ab17d5b 100644
> --- a/docs/grub.texi
> +++ b/docs/grub.texi
> @@ -6412,8 +6412,10 @@ the GRUB command line, edit menu entries, and execute
> any menu entry. If
> @samp{superusers} is set, then use of the command line and editing of menu
> entries are automatically restricted to superusers. Setting @samp{superusers}
> to empty string effectively disables both access to CLI and editing of menu
> -entries. Note: The environment variable needs to be exported to also affect
> -the section defined by the @samp{submenu} command (@pxref{submenu}).
> +entries. Building a grub image with @samp{--disable-cli} option will also
> +disable access to CLI and editing of menu entries, as well as disabling
> rescue
> +mode. Note: The environment variable needs to be exported to also affect the
> +section defined by the @samp{submenu} command (@pxref{submenu}).
>
> Other users may be allowed to execute specific menu entries by giving a list
> of
> usernames (as above) using the @option{--users} option to the
> diff --git a/grub-core/kern/main.c b/grub-core/kern/main.c
> index 731c07c29..30643164e 100644
> --- a/grub-core/kern/main.c
> +++ b/grub-core/kern/main.c
> @@ -30,11 +30,14 @@
> #include
> #include
> #include
> +#include
>
> #ifdef GRUB_MACHINE_PCBIOS
> #include
> #endif
>
> +static bool cli_disabled = false;
> +
> grub_addr_t
> grub_modules_get_end (void)
> {
> @@ -237,6 +240,28 @@ grub_load_normal_mode (void)
>grub_command_execute ("normal", 0, 0);
> }
>
> +bool
> +grub_is_cli_disabled (void)
> +{
> + return cli_disabled;
> +}
> +
> +static void
> +check_is_cli_disabled (void)
> +{
> + struct grub_module_header *header;
> + header = 0;
> +
> + FOR_MODULES (header)
> +{
> + if (header->type == OBJ_TYPE_DISABLE_CLI)
> + {
> + cli_disabled = true;
> + return;
> + }
> +}
> +}
> +
> static void
> reclaim_module_space (void)
> {
> @@ -294,6 +319,9 @@ grub_main (void)
>
>grub_boot_time ("After loading embedded modules.");
>
> + /* Check if the CLI should be disabled */
> + check_is_cli_disabled ();
> +
>/* It is better to set the root device as soon as possible,
> for convenience. */
>grub_set_prefix_and_root ();
> diff --git a/grub-core/kern/rescue_reader.c b/grub-core/kern/rescue_reader.c
> index dcd7d4439..4259857ba 100644
> --- a/grub-core/kern/rescue_reader.c
> +++ b/grub-core/kern/rescue_reader.c
> @@ -78,6 +78,19 @@ grub_rescue_read_line (char **line, int cont,
> void __attribute__ ((noreturn))
> grub_rescue_run (void)
> {
> + /* Stall if the CLI has been disabled */
> + if (grub_is_cli_disabled ())
> +{
> + grub_printf ("Rescue mode has been disabled...\n");
> +
> + do
> + {
> + /* Do not optimize out the loop. */
> + asm volatile ("");
> + }
> + while (1);
> +}
> +
>grub_printf ("Entering rescue mode...\n");
>
>while (1)
> diff --git a/grub-core/normal/auth.c b/grub-core/normal/auth.c
> index 517fc623f..d94020186 100644
> --- a/grub-core/normal/auth.c
> +++ b/grub-core/normal/auth.c
> @@ -209,6 +209,9 @@ grub_auth_check_authentication (const char *userlist)
>char entered[GRUB_AUTH_MAX_PASSLEN];
>struct grub_auth_user *user;
>
> + if (grub_is_cli_disabled ())
> +return GRUB_ACCESS_DENIED;
> +
>grub_memset (login, 0, sizeof (login));
>
>if (is_authenticated (userlist))
> diff --git a/grub-core/normal/menu_text.c b/grub-core/normal/menu_text.c
> index b1321eb26..9c383e64a 100644
> --- a/grub-core/normal/menu_text.c
> +++ b/grub-core/normal/menu_text.c
> @@ -178,21 +178,24 @@ command-line or ESC to discard edits and return to the
> GRUB menu."),
>
>grub_free (msg_translated);
>
> - if (nested)
> + if (!grub_is_cli_disabled ())
> {
> - ret += grub_print_message_indented_real
> - (_("Press enter to boot the selected OS, "
> - "`e' to edit the commands before booting "
> - "or `c' for a command-line. ESC to return previous
Re: [PATCH] cli_lock: Added build option to block command line interface
Le ven. 26 janv. 2024, 23:15, Daniel Kiper a écrit : > On Fri, Jan 26, 2024 at 02:12:31AM +0300, Vladimir 'phcoder' Serbinenko > wrote: > > Please detail your use case. GRUB already had user framework in the same > > problem space. > > I am not sure what exactly you mean by "user framework". Could you > elaborate or point us code examples? > https://www.gnu.org/software/grub/manual/grub/grub.html#Authentication-and-authorisation > > Anyway, we need a mechanism to disallow access to CLI, arguments editing > for kernels, etc. I.e. user cannot change widely understood boot config > even being at the console. > Yes and it's exactly what happens as soon as superuser is set. Basically this patch is equivalent to having a superuser without a valid password. AFAIR it's achieved by setting superuser's but not issuing password commands. If not we can have password_deny command. > > Daniel > > ___ > Grub-devel mailing list > Grub-devel@gnu.org > https://lists.gnu.org/mailman/listinfo/grub-devel > ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
Re: [PATCH] cli_lock: Added build option to block command line interface
On Fri, Jan 26, 2024 at 02:12:31AM +0300, Vladimir 'phcoder' Serbinenko wrote: > Please detail your use case. GRUB already had user framework in the same > problem space. I am not sure what exactly you mean by "user framework". Could you elaborate or point us code examples? Anyway, we need a mechanism to disallow access to CLI, arguments editing for kernels, etc. I.e. user cannot change widely understood boot config even being at the console. Daniel ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
Re: [PATCH] cli_lock: Added build option to block command line interface
On Wed, Jan 24, 2024 at 08:28:39AM +0100, Olaf Hering wrote: > Wed, 24 Jan 2024 06:26:37 + Alec Brown : > > > +static bool cli_disabled = false; > > Are there any other values than zero for "false"? > If not, the initialization can be removed. Even if you are technically correct I think we should not drop this initialization to make code clear at first glance. Daniel ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
Re: [PATCH] cli_lock: Added build option to block command line interface
Please detail your use case. GRUB already had user framework in the same
problem space.
Le mer. 24 janv. 2024, 09:27, Alec Brown a écrit :
> Added functionality to disable command line interface access and editing
> of GRUB
> menu entries if GRUB image is built with --disable-cli.
>
> Signed-off-by: Alec Brown
> ---
> docs/grub.texi | 6 --
> grub-core/kern/main.c | 28
> grub-core/kern/rescue_reader.c | 13 +
> grub-core/normal/auth.c| 3 +++
> grub-core/normal/menu_text.c | 31 +--
> include/grub/kernel.h | 3 ++-
> include/grub/misc.h| 2 ++
> include/grub/util/install.h| 8 ++--
> util/grub-install-common.c | 11 ---
> util/grub-mkimage.c| 9 -
> util/mkimage.c | 16 +++-
> 11 files changed, 106 insertions(+), 24 deletions(-)
>
> diff --git a/docs/grub.texi b/docs/grub.texi
> index a225f9a88..96ab17d5b 100644
> --- a/docs/grub.texi
> +++ b/docs/grub.texi
> @@ -6412,8 +6412,10 @@ the GRUB command line, edit menu entries, and
> execute any menu entry. If
> @samp{superusers} is set, then use of the command line and editing of menu
> entries are automatically restricted to superusers. Setting
> @samp{superusers}
> to empty string effectively disables both access to CLI and editing of
> menu
> -entries. Note: The environment variable needs to be exported to also
> affect
> -the section defined by the @samp{submenu} command (@pxref{submenu}).
> +entries. Building a grub image with @samp{--disable-cli} option will also
> +disable access to CLI and editing of menu entries, as well as disabling
> rescue
> +mode. Note: The environment variable needs to be exported to also affect
> the
> +section defined by the @samp{submenu} command (@pxref{submenu}).
>
> Other users may be allowed to execute specific menu entries by giving a
> list of
> usernames (as above) using the @option{--users} option to the
> diff --git a/grub-core/kern/main.c b/grub-core/kern/main.c
> index 731c07c29..30643164e 100644
> --- a/grub-core/kern/main.c
> +++ b/grub-core/kern/main.c
> @@ -30,11 +30,14 @@
> #include
> #include
> #include
> +#include
>
> #ifdef GRUB_MACHINE_PCBIOS
> #include
> #endif
>
> +static bool cli_disabled = false;
> +
> grub_addr_t
> grub_modules_get_end (void)
> {
> @@ -237,6 +240,28 @@ grub_load_normal_mode (void)
>grub_command_execute ("normal", 0, 0);
> }
>
> +bool
> +grub_is_cli_disabled (void)
> +{
> + return cli_disabled;
> +}
> +
> +static void
> +check_is_cli_disabled (void)
> +{
> + struct grub_module_header *header;
> + header = 0;
> +
> + FOR_MODULES (header)
> +{
> + if (header->type == OBJ_TYPE_DISABLE_CLI)
> + {
> + cli_disabled = true;
> + return;
> + }
> +}
> +}
> +
> static void
> reclaim_module_space (void)
> {
> @@ -294,6 +319,9 @@ grub_main (void)
>
>grub_boot_time ("After loading embedded modules.");
>
> + /* Check if the CLI should be disabled */
> + check_is_cli_disabled ();
> +
>/* It is better to set the root device as soon as possible,
> for convenience. */
>grub_set_prefix_and_root ();
> diff --git a/grub-core/kern/rescue_reader.c
> b/grub-core/kern/rescue_reader.c
> index dcd7d4439..4259857ba 100644
> --- a/grub-core/kern/rescue_reader.c
> +++ b/grub-core/kern/rescue_reader.c
> @@ -78,6 +78,19 @@ grub_rescue_read_line (char **line, int cont,
> void __attribute__ ((noreturn))
> grub_rescue_run (void)
> {
> + /* Stall if the CLI has been disabled */
> + if (grub_is_cli_disabled ())
> +{
> + grub_printf ("Rescue mode has been disabled...\n");
> +
> + do
> + {
> + /* Do not optimize out the loop. */
> + asm volatile ("");
> + }
> + while (1);
> +}
> +
>grub_printf ("Entering rescue mode...\n");
>
>while (1)
> diff --git a/grub-core/normal/auth.c b/grub-core/normal/auth.c
> index 517fc623f..d94020186 100644
> --- a/grub-core/normal/auth.c
> +++ b/grub-core/normal/auth.c
> @@ -209,6 +209,9 @@ grub_auth_check_authentication (const char *userlist)
>char entered[GRUB_AUTH_MAX_PASSLEN];
>struct grub_auth_user *user;
>
> + if (grub_is_cli_disabled ())
> +return GRUB_ACCESS_DENIED;
> +
>grub_memset (login, 0, sizeof (login));
>
>if (is_authenticated (userlist))
> diff --git a/grub-core/normal/menu_text.c b/grub-core/normal/menu_text.c
> index b1321eb26..9c383e64a 100644
> --- a/grub-core/normal/menu_text.c
> +++ b/grub-core/normal/menu_text.c
> @@ -178,21 +178,24 @@ command-line or ESC to discard edits and return to
> the GRUB menu."),
>
>grub_free (msg_translated);
>
> - if (nested)
> + if (!grub_is_cli_disabled ())
> {
> - ret += grub_print_message_indented_real
> - (_("Press enter to boot the selected OS, "
> - "`e' to edit the commands before booting "
> -
Re: [PATCH] cli_lock: Added build option to block command line interface
Wed, 24 Jan 2024 06:26:37 + Alec Brown : > +static bool cli_disabled = false; Are there any other values than zero for "false"? If not, the initialization can be removed. Olaf pgpyCy0AM4E27.pgp Description: Digitale Signatur von OpenPGP ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
[PATCH] cli_lock: Added build option to block command line interface
Added functionality to disable command line interface access and editing of GRUB
menu entries if GRUB image is built with --disable-cli.
Signed-off-by: Alec Brown
---
docs/grub.texi | 6 --
grub-core/kern/main.c | 28
grub-core/kern/rescue_reader.c | 13 +
grub-core/normal/auth.c| 3 +++
grub-core/normal/menu_text.c | 31 +--
include/grub/kernel.h | 3 ++-
include/grub/misc.h| 2 ++
include/grub/util/install.h| 8 ++--
util/grub-install-common.c | 11 ---
util/grub-mkimage.c| 9 -
util/mkimage.c | 16 +++-
11 files changed, 106 insertions(+), 24 deletions(-)
diff --git a/docs/grub.texi b/docs/grub.texi
index a225f9a88..96ab17d5b 100644
--- a/docs/grub.texi
+++ b/docs/grub.texi
@@ -6412,8 +6412,10 @@ the GRUB command line, edit menu entries, and execute
any menu entry. If
@samp{superusers} is set, then use of the command line and editing of menu
entries are automatically restricted to superusers. Setting @samp{superusers}
to empty string effectively disables both access to CLI and editing of menu
-entries. Note: The environment variable needs to be exported to also affect
-the section defined by the @samp{submenu} command (@pxref{submenu}).
+entries. Building a grub image with @samp{--disable-cli} option will also
+disable access to CLI and editing of menu entries, as well as disabling rescue
+mode. Note: The environment variable needs to be exported to also affect the
+section defined by the @samp{submenu} command (@pxref{submenu}).
Other users may be allowed to execute specific menu entries by giving a list of
usernames (as above) using the @option{--users} option to the
diff --git a/grub-core/kern/main.c b/grub-core/kern/main.c
index 731c07c29..30643164e 100644
--- a/grub-core/kern/main.c
+++ b/grub-core/kern/main.c
@@ -30,11 +30,14 @@
#include
#include
#include
+#include
#ifdef GRUB_MACHINE_PCBIOS
#include
#endif
+static bool cli_disabled = false;
+
grub_addr_t
grub_modules_get_end (void)
{
@@ -237,6 +240,28 @@ grub_load_normal_mode (void)
grub_command_execute ("normal", 0, 0);
}
+bool
+grub_is_cli_disabled (void)
+{
+ return cli_disabled;
+}
+
+static void
+check_is_cli_disabled (void)
+{
+ struct grub_module_header *header;
+ header = 0;
+
+ FOR_MODULES (header)
+{
+ if (header->type == OBJ_TYPE_DISABLE_CLI)
+ {
+ cli_disabled = true;
+ return;
+ }
+}
+}
+
static void
reclaim_module_space (void)
{
@@ -294,6 +319,9 @@ grub_main (void)
grub_boot_time ("After loading embedded modules.");
+ /* Check if the CLI should be disabled */
+ check_is_cli_disabled ();
+
/* It is better to set the root device as soon as possible,
for convenience. */
grub_set_prefix_and_root ();
diff --git a/grub-core/kern/rescue_reader.c b/grub-core/kern/rescue_reader.c
index dcd7d4439..4259857ba 100644
--- a/grub-core/kern/rescue_reader.c
+++ b/grub-core/kern/rescue_reader.c
@@ -78,6 +78,19 @@ grub_rescue_read_line (char **line, int cont,
void __attribute__ ((noreturn))
grub_rescue_run (void)
{
+ /* Stall if the CLI has been disabled */
+ if (grub_is_cli_disabled ())
+{
+ grub_printf ("Rescue mode has been disabled...\n");
+
+ do
+ {
+ /* Do not optimize out the loop. */
+ asm volatile ("");
+ }
+ while (1);
+}
+
grub_printf ("Entering rescue mode...\n");
while (1)
diff --git a/grub-core/normal/auth.c b/grub-core/normal/auth.c
index 517fc623f..d94020186 100644
--- a/grub-core/normal/auth.c
+++ b/grub-core/normal/auth.c
@@ -209,6 +209,9 @@ grub_auth_check_authentication (const char *userlist)
char entered[GRUB_AUTH_MAX_PASSLEN];
struct grub_auth_user *user;
+ if (grub_is_cli_disabled ())
+return GRUB_ACCESS_DENIED;
+
grub_memset (login, 0, sizeof (login));
if (is_authenticated (userlist))
diff --git a/grub-core/normal/menu_text.c b/grub-core/normal/menu_text.c
index b1321eb26..9c383e64a 100644
--- a/grub-core/normal/menu_text.c
+++ b/grub-core/normal/menu_text.c
@@ -178,21 +178,24 @@ command-line or ESC to discard edits and return to the
GRUB menu."),
grub_free (msg_translated);
- if (nested)
+ if (!grub_is_cli_disabled ())
{
- ret += grub_print_message_indented_real
- (_("Press enter to boot the selected OS, "
- "`e' to edit the commands before booting "
- "or `c' for a command-line. ESC to return previous menu."),
-STANDARD_MARGIN, STANDARD_MARGIN, term, dry_run);
- }
- else
- {
- ret += grub_print_message_indented_real
- (_("Press enter to boot the selected OS, "
- "`e' to edit the commands before booting "
- "or `c' for a command-line."),
-STANDARD_MARGIN, STANDARD_MARGIN, term,
