I was thinking that an empty whitelist should implicitly *allow* all. The presence of one or more variables in the whitelist is a signal that the user cares and explicitly disallows anything not in the whitelist. I think this is totally compatible with any existing grub.cfg, unless somebody has some junk similar to load_env [-f FILE] junk1 junk2... The existing code in loadenv.c:grub_cmd_load_env() doesn't even look at argc, so I think it would ignore such junk.
I have some other feedback from irc that I will incorporate, and do a v4 of these patches. The v3 changes to loadenv.c don't completely make sense, as I was trying to react to Andrey's feedback before he realized the whitelist wasn't already implemented. Thanks, -Jon On Thu, Sep 19, 2013 at 3:12 AM, Andrey Borzenkov <arvidj...@gmail.com>wrote: > В Mon, 9 Sep 2013 08:34:10 -0700 > Jonathan McCune <jonmcc...@google.com> пишет: > > > > > > Now if you could come up with solution that maintains compatibility > > > with existing grub.cfg, that would be valid reason. But right now > > > grub.cfg must be changed anyway at which point just save untrusted > > > variables separately from trusted. > > > > > > > > I don't think my changes break compatibility with anybody's existing > > grub.cfg. Can you be more specific? > > > > Currently grub.cfg loads all variables from environment block. Your > change would require changing it to load only whitelisted variables. > > _______________________________________________ > Grub-devel mailing list > Grub-devel@gnu.org > https://lists.gnu.org/mailman/listinfo/grub-devel >
_______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
