Re: [PATCH] cli_lock: Added build option to block command line interface
On Wed, Jan 24, 2024 at 06:26:37AM +, Alec Brown wrote: > Added functionality to disable command line interface access and editing of > GRUB > menu entries if GRUB image is built with --disable-cli. > > Signed-off-by: Alec Brown Reviewed-by: Daniel Kiper Daniel ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
Re: [PATCH] cli_lock: Added build option to block command line interface
Reviewed-By: Vladimir Serbinenko On Wed, Jan 24, 2024 at 9:27 AM Alec Brown wrote: > > Added functionality to disable command line interface access and editing of > GRUB > menu entries if GRUB image is built with --disable-cli. > > Signed-off-by: Alec Brown > --- > docs/grub.texi | 6 -- > grub-core/kern/main.c | 28 > grub-core/kern/rescue_reader.c | 13 + > grub-core/normal/auth.c| 3 +++ > grub-core/normal/menu_text.c | 31 +-- > include/grub/kernel.h | 3 ++- > include/grub/misc.h| 2 ++ > include/grub/util/install.h| 8 ++-- > util/grub-install-common.c | 11 --- > util/grub-mkimage.c| 9 - > util/mkimage.c | 16 +++- > 11 files changed, 106 insertions(+), 24 deletions(-) > > diff --git a/docs/grub.texi b/docs/grub.texi > index a225f9a88..96ab17d5b 100644 > --- a/docs/grub.texi > +++ b/docs/grub.texi > @@ -6412,8 +6412,10 @@ the GRUB command line, edit menu entries, and execute > any menu entry. If > @samp{superusers} is set, then use of the command line and editing of menu > entries are automatically restricted to superusers. Setting @samp{superusers} > to empty string effectively disables both access to CLI and editing of menu > -entries. Note: The environment variable needs to be exported to also affect > -the section defined by the @samp{submenu} command (@pxref{submenu}). > +entries. Building a grub image with @samp{--disable-cli} option will also > +disable access to CLI and editing of menu entries, as well as disabling > rescue > +mode. Note: The environment variable needs to be exported to also affect the > +section defined by the @samp{submenu} command (@pxref{submenu}). > > Other users may be allowed to execute specific menu entries by giving a list > of > usernames (as above) using the @option{--users} option to the > diff --git a/grub-core/kern/main.c b/grub-core/kern/main.c > index 731c07c29..30643164e 100644 > --- a/grub-core/kern/main.c > +++ b/grub-core/kern/main.c > @@ -30,11 +30,14 @@ > #include > #include > #include > +#include > > #ifdef GRUB_MACHINE_PCBIOS > #include > #endif > > +static bool cli_disabled = false; > + > grub_addr_t > grub_modules_get_end (void) > { > @@ -237,6 +240,28 @@ grub_load_normal_mode (void) >grub_command_execute ("normal", 0, 0); > } > > +bool > +grub_is_cli_disabled (void) > +{ > + return cli_disabled; > +} > + > +static void > +check_is_cli_disabled (void) > +{ > + struct grub_module_header *header; > + header = 0; > + > + FOR_MODULES (header) > +{ > + if (header->type == OBJ_TYPE_DISABLE_CLI) > + { > + cli_disabled = true; > + return; > + } > +} > +} > + > static void > reclaim_module_space (void) > { > @@ -294,6 +319,9 @@ grub_main (void) > >grub_boot_time ("After loading embedded modules."); > > + /* Check if the CLI should be disabled */ > + check_is_cli_disabled (); > + >/* It is better to set the root device as soon as possible, > for convenience. */ >grub_set_prefix_and_root (); > diff --git a/grub-core/kern/rescue_reader.c b/grub-core/kern/rescue_reader.c > index dcd7d4439..4259857ba 100644 > --- a/grub-core/kern/rescue_reader.c > +++ b/grub-core/kern/rescue_reader.c > @@ -78,6 +78,19 @@ grub_rescue_read_line (char **line, int cont, > void __attribute__ ((noreturn)) > grub_rescue_run (void) > { > + /* Stall if the CLI has been disabled */ > + if (grub_is_cli_disabled ()) > +{ > + grub_printf ("Rescue mode has been disabled...\n"); > + > + do > + { > + /* Do not optimize out the loop. */ > + asm volatile (""); > + } > + while (1); > +} > + >grub_printf ("Entering rescue mode...\n"); > >while (1) > diff --git a/grub-core/normal/auth.c b/grub-core/normal/auth.c > index 517fc623f..d94020186 100644 > --- a/grub-core/normal/auth.c > +++ b/grub-core/normal/auth.c > @@ -209,6 +209,9 @@ grub_auth_check_authentication (const char *userlist) >char entered[GRUB_AUTH_MAX_PASSLEN]; >struct grub_auth_user *user; > > + if (grub_is_cli_disabled ()) > +return GRUB_ACCESS_DENIED; > + >grub_memset (login, 0, sizeof (login)); > >if (is_authenticated (userlist)) > diff --git a/grub-core/normal/menu_text.c b/grub-core/normal/menu_text.c > index b1321eb26..9c383e64a 100644 > --- a/grub-core/normal/menu_text.c > +++ b/grub-core/normal/menu_text.c > @@ -178,21 +178,24 @@ command-line or ESC to discard edits and return to the > GRUB menu."), > >grub_free (msg_translated); > > - if (nested) > + if (!grub_is_cli_disabled ()) > { > - ret += grub_print_message_indented_real > - (_("Press enter to boot the selected OS, " > - "`e' to edit the commands before booting " > - "or `c' for a command-line. ESC to return previous
Re: [PATCH] cli_lock: Added build option to block command line interface
Le ven. 26 janv. 2024, 23:15, Daniel Kiper a écrit : > On Fri, Jan 26, 2024 at 02:12:31AM +0300, Vladimir 'phcoder' Serbinenko > wrote: > > Please detail your use case. GRUB already had user framework in the same > > problem space. > > I am not sure what exactly you mean by "user framework". Could you > elaborate or point us code examples? > https://www.gnu.org/software/grub/manual/grub/grub.html#Authentication-and-authorisation > > Anyway, we need a mechanism to disallow access to CLI, arguments editing > for kernels, etc. I.e. user cannot change widely understood boot config > even being at the console. > Yes and it's exactly what happens as soon as superuser is set. Basically this patch is equivalent to having a superuser without a valid password. AFAIR it's achieved by setting superuser's but not issuing password commands. If not we can have password_deny command. > > Daniel > > ___ > Grub-devel mailing list > Grub-devel@gnu.org > https://lists.gnu.org/mailman/listinfo/grub-devel > ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
Re: [PATCH] cli_lock: Added build option to block command line interface
On Fri, Jan 26, 2024 at 02:12:31AM +0300, Vladimir 'phcoder' Serbinenko wrote: > Please detail your use case. GRUB already had user framework in the same > problem space. I am not sure what exactly you mean by "user framework". Could you elaborate or point us code examples? Anyway, we need a mechanism to disallow access to CLI, arguments editing for kernels, etc. I.e. user cannot change widely understood boot config even being at the console. Daniel ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
Re: [PATCH] cli_lock: Added build option to block command line interface
On Wed, Jan 24, 2024 at 08:28:39AM +0100, Olaf Hering wrote: > Wed, 24 Jan 2024 06:26:37 + Alec Brown : > > > +static bool cli_disabled = false; > > Are there any other values than zero for "false"? > If not, the initialization can be removed. Even if you are technically correct I think we should not drop this initialization to make code clear at first glance. Daniel ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
Re: [PATCH] cli_lock: Added build option to block command line interface
Please detail your use case. GRUB already had user framework in the same problem space. Le mer. 24 janv. 2024, 09:27, Alec Brown a écrit : > Added functionality to disable command line interface access and editing > of GRUB > menu entries if GRUB image is built with --disable-cli. > > Signed-off-by: Alec Brown > --- > docs/grub.texi | 6 -- > grub-core/kern/main.c | 28 > grub-core/kern/rescue_reader.c | 13 + > grub-core/normal/auth.c| 3 +++ > grub-core/normal/menu_text.c | 31 +-- > include/grub/kernel.h | 3 ++- > include/grub/misc.h| 2 ++ > include/grub/util/install.h| 8 ++-- > util/grub-install-common.c | 11 --- > util/grub-mkimage.c| 9 - > util/mkimage.c | 16 +++- > 11 files changed, 106 insertions(+), 24 deletions(-) > > diff --git a/docs/grub.texi b/docs/grub.texi > index a225f9a88..96ab17d5b 100644 > --- a/docs/grub.texi > +++ b/docs/grub.texi > @@ -6412,8 +6412,10 @@ the GRUB command line, edit menu entries, and > execute any menu entry. If > @samp{superusers} is set, then use of the command line and editing of menu > entries are automatically restricted to superusers. Setting > @samp{superusers} > to empty string effectively disables both access to CLI and editing of > menu > -entries. Note: The environment variable needs to be exported to also > affect > -the section defined by the @samp{submenu} command (@pxref{submenu}). > +entries. Building a grub image with @samp{--disable-cli} option will also > +disable access to CLI and editing of menu entries, as well as disabling > rescue > +mode. Note: The environment variable needs to be exported to also affect > the > +section defined by the @samp{submenu} command (@pxref{submenu}). > > Other users may be allowed to execute specific menu entries by giving a > list of > usernames (as above) using the @option{--users} option to the > diff --git a/grub-core/kern/main.c b/grub-core/kern/main.c > index 731c07c29..30643164e 100644 > --- a/grub-core/kern/main.c > +++ b/grub-core/kern/main.c > @@ -30,11 +30,14 @@ > #include > #include > #include > +#include > > #ifdef GRUB_MACHINE_PCBIOS > #include > #endif > > +static bool cli_disabled = false; > + > grub_addr_t > grub_modules_get_end (void) > { > @@ -237,6 +240,28 @@ grub_load_normal_mode (void) >grub_command_execute ("normal", 0, 0); > } > > +bool > +grub_is_cli_disabled (void) > +{ > + return cli_disabled; > +} > + > +static void > +check_is_cli_disabled (void) > +{ > + struct grub_module_header *header; > + header = 0; > + > + FOR_MODULES (header) > +{ > + if (header->type == OBJ_TYPE_DISABLE_CLI) > + { > + cli_disabled = true; > + return; > + } > +} > +} > + > static void > reclaim_module_space (void) > { > @@ -294,6 +319,9 @@ grub_main (void) > >grub_boot_time ("After loading embedded modules."); > > + /* Check if the CLI should be disabled */ > + check_is_cli_disabled (); > + >/* It is better to set the root device as soon as possible, > for convenience. */ >grub_set_prefix_and_root (); > diff --git a/grub-core/kern/rescue_reader.c > b/grub-core/kern/rescue_reader.c > index dcd7d4439..4259857ba 100644 > --- a/grub-core/kern/rescue_reader.c > +++ b/grub-core/kern/rescue_reader.c > @@ -78,6 +78,19 @@ grub_rescue_read_line (char **line, int cont, > void __attribute__ ((noreturn)) > grub_rescue_run (void) > { > + /* Stall if the CLI has been disabled */ > + if (grub_is_cli_disabled ()) > +{ > + grub_printf ("Rescue mode has been disabled...\n"); > + > + do > + { > + /* Do not optimize out the loop. */ > + asm volatile (""); > + } > + while (1); > +} > + >grub_printf ("Entering rescue mode...\n"); > >while (1) > diff --git a/grub-core/normal/auth.c b/grub-core/normal/auth.c > index 517fc623f..d94020186 100644 > --- a/grub-core/normal/auth.c > +++ b/grub-core/normal/auth.c > @@ -209,6 +209,9 @@ grub_auth_check_authentication (const char *userlist) >char entered[GRUB_AUTH_MAX_PASSLEN]; >struct grub_auth_user *user; > > + if (grub_is_cli_disabled ()) > +return GRUB_ACCESS_DENIED; > + >grub_memset (login, 0, sizeof (login)); > >if (is_authenticated (userlist)) > diff --git a/grub-core/normal/menu_text.c b/grub-core/normal/menu_text.c > index b1321eb26..9c383e64a 100644 > --- a/grub-core/normal/menu_text.c > +++ b/grub-core/normal/menu_text.c > @@ -178,21 +178,24 @@ command-line or ESC to discard edits and return to > the GRUB menu."), > >grub_free (msg_translated); > > - if (nested) > + if (!grub_is_cli_disabled ()) > { > - ret += grub_print_message_indented_real > - (_("Press enter to boot the selected OS, " > - "`e' to edit the commands before booting " > -
Re: [PATCH] cli_lock: Added build option to block command line interface
Wed, 24 Jan 2024 06:26:37 + Alec Brown : > +static bool cli_disabled = false; Are there any other values than zero for "false"? If not, the initialization can be removed. Olaf pgpyCy0AM4E27.pgp Description: Digitale Signatur von OpenPGP ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
[PATCH] cli_lock: Added build option to block command line interface
Added functionality to disable command line interface access and editing of GRUB menu entries if GRUB image is built with --disable-cli. Signed-off-by: Alec Brown --- docs/grub.texi | 6 -- grub-core/kern/main.c | 28 grub-core/kern/rescue_reader.c | 13 + grub-core/normal/auth.c| 3 +++ grub-core/normal/menu_text.c | 31 +-- include/grub/kernel.h | 3 ++- include/grub/misc.h| 2 ++ include/grub/util/install.h| 8 ++-- util/grub-install-common.c | 11 --- util/grub-mkimage.c| 9 - util/mkimage.c | 16 +++- 11 files changed, 106 insertions(+), 24 deletions(-) diff --git a/docs/grub.texi b/docs/grub.texi index a225f9a88..96ab17d5b 100644 --- a/docs/grub.texi +++ b/docs/grub.texi @@ -6412,8 +6412,10 @@ the GRUB command line, edit menu entries, and execute any menu entry. If @samp{superusers} is set, then use of the command line and editing of menu entries are automatically restricted to superusers. Setting @samp{superusers} to empty string effectively disables both access to CLI and editing of menu -entries. Note: The environment variable needs to be exported to also affect -the section defined by the @samp{submenu} command (@pxref{submenu}). +entries. Building a grub image with @samp{--disable-cli} option will also +disable access to CLI and editing of menu entries, as well as disabling rescue +mode. Note: The environment variable needs to be exported to also affect the +section defined by the @samp{submenu} command (@pxref{submenu}). Other users may be allowed to execute specific menu entries by giving a list of usernames (as above) using the @option{--users} option to the diff --git a/grub-core/kern/main.c b/grub-core/kern/main.c index 731c07c29..30643164e 100644 --- a/grub-core/kern/main.c +++ b/grub-core/kern/main.c @@ -30,11 +30,14 @@ #include #include #include +#include #ifdef GRUB_MACHINE_PCBIOS #include #endif +static bool cli_disabled = false; + grub_addr_t grub_modules_get_end (void) { @@ -237,6 +240,28 @@ grub_load_normal_mode (void) grub_command_execute ("normal", 0, 0); } +bool +grub_is_cli_disabled (void) +{ + return cli_disabled; +} + +static void +check_is_cli_disabled (void) +{ + struct grub_module_header *header; + header = 0; + + FOR_MODULES (header) +{ + if (header->type == OBJ_TYPE_DISABLE_CLI) + { + cli_disabled = true; + return; + } +} +} + static void reclaim_module_space (void) { @@ -294,6 +319,9 @@ grub_main (void) grub_boot_time ("After loading embedded modules."); + /* Check if the CLI should be disabled */ + check_is_cli_disabled (); + /* It is better to set the root device as soon as possible, for convenience. */ grub_set_prefix_and_root (); diff --git a/grub-core/kern/rescue_reader.c b/grub-core/kern/rescue_reader.c index dcd7d4439..4259857ba 100644 --- a/grub-core/kern/rescue_reader.c +++ b/grub-core/kern/rescue_reader.c @@ -78,6 +78,19 @@ grub_rescue_read_line (char **line, int cont, void __attribute__ ((noreturn)) grub_rescue_run (void) { + /* Stall if the CLI has been disabled */ + if (grub_is_cli_disabled ()) +{ + grub_printf ("Rescue mode has been disabled...\n"); + + do + { + /* Do not optimize out the loop. */ + asm volatile (""); + } + while (1); +} + grub_printf ("Entering rescue mode...\n"); while (1) diff --git a/grub-core/normal/auth.c b/grub-core/normal/auth.c index 517fc623f..d94020186 100644 --- a/grub-core/normal/auth.c +++ b/grub-core/normal/auth.c @@ -209,6 +209,9 @@ grub_auth_check_authentication (const char *userlist) char entered[GRUB_AUTH_MAX_PASSLEN]; struct grub_auth_user *user; + if (grub_is_cli_disabled ()) +return GRUB_ACCESS_DENIED; + grub_memset (login, 0, sizeof (login)); if (is_authenticated (userlist)) diff --git a/grub-core/normal/menu_text.c b/grub-core/normal/menu_text.c index b1321eb26..9c383e64a 100644 --- a/grub-core/normal/menu_text.c +++ b/grub-core/normal/menu_text.c @@ -178,21 +178,24 @@ command-line or ESC to discard edits and return to the GRUB menu."), grub_free (msg_translated); - if (nested) + if (!grub_is_cli_disabled ()) { - ret += grub_print_message_indented_real - (_("Press enter to boot the selected OS, " - "`e' to edit the commands before booting " - "or `c' for a command-line. ESC to return previous menu."), -STANDARD_MARGIN, STANDARD_MARGIN, term, dry_run); - } - else - { - ret += grub_print_message_indented_real - (_("Press enter to boot the selected OS, " - "`e' to edit the commands before booting " - "or `c' for a command-line."), -STANDARD_MARGIN, STANDARD_MARGIN, term,