diff --git a/.gitignore b/.gitignore index f072794..02903bf 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,9 @@ SOURCES/grub-2.02.tar.xz +SOURCES/redhatsecureboot301.cer +SOURCES/redhatsecureboot502.cer +SOURCES/redhatsecureboot601.cer +SOURCES/redhatsecureboot701.cer +SOURCES/redhatsecurebootca3.cer +SOURCES/redhatsecurebootca5.cer SOURCES/theme.tar.bz2 -SOURCES/unifont-5.1.20080820.pcf.gz +SOURCES/unifont-5.1.20080820.pcf.gz \ No newline at end of file diff --git a/.grub2.metadata b/.grub2.metadata index 3bb3b94..c0c9b64 100644 --- a/.grub2.metadata +++ b/.grub2.metadata @@ -1,3 +1,9 @@ 3d7eb6eaab28b88cb969ba9ab24af959f4d1b178 SOURCES/grub-2.02.tar.xz +4a07b56e28741884b86da6ac91f8f9929541a1e4 SOURCES/redhatsecureboot301.cer +3f94c47f1d08bacc7cb29bdd912e286b8d2f6fcf SOURCES/redhatsecureboot502.cer +039357ef97aab3e484d1119edd4528156f5859e6 SOURCES/redhatsecureboot601.cer +e89890ca0ded2f9058651cc5fa838b78db2e6cc2 SOURCES/redhatsecureboot701.cer +cf9230e69000076727e5b784ec871d22716dc5da SOURCES/redhatsecurebootca3.cer +e6f506462069aa17d2e8610503635c20f3a995c3 SOURCES/redhatsecurebootca5.cer cf0b7763c528902da7e8b05cfa248f20c8825ce5 SOURCES/theme.tar.bz2 87f8600ba24e521b5d20bdf6c4b71af8ae861e3a SOURCES/unifont-5.1.20080820.pcf.gz diff --git a/SOURCES/0591-grub-mkconfig.in-turn-off-executable-owner-bit.patch b/SOURCES/0591-grub-mkconfig.in-turn-off-executable-owner-bit.patch new file mode 100644 index 0000000..8c7d4cf --- /dev/null +++ b/SOURCES/0591-grub-mkconfig.in-turn-off-executable-owner-bit.patch @@ -0,0 +1,27 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Leo Sandoval +Date: Thu, 19 Sep 2024 10:15:13 -0600 +Subject: [PATCH] grub-mkconfig.in: turn off executable owner bit + +Stricker permissions are required on the grub.cfg file, resulting in +at most 0600 owner's file permissions. This resolves conflicting +requirement permissions on grub2-pc package's grub2.cfg file. + +Signed-off-by: Leo Sandoval +--- + util/grub-mkconfig.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in +index a1c00776d..573004915 100644 +--- a/util/grub-mkconfig.in ++++ b/util/grub-mkconfig.in +@@ -317,7 +317,7 @@ and /etc/grub.d/* files or please file a bug report with + exit 1 + else + # none of the children aborted with error, install the new grub.cfg +- oldumask=$(umask); umask 077 ++ oldumask=$(umask); umask 177 + cat ${grub_cfg}.new > ${grub_cfg} + umask $oldumask + rm -f ${grub_cfg}.new diff --git a/SOURCES/20-grub.install b/SOURCES/20-grub.install index dd2018a..2bb65b8 100755 --- a/SOURCES/20-grub.install +++ b/SOURCES/20-grub.install @@ -90,13 +90,10 @@ case "$COMMAND" in [[ -d "$BLS_DIR" ]] || mkdir -m 0700 -p "$BLS_DIR" BLS_ID="${MACHINE_ID}-${KERNEL_VERSION}" BLS_TARGET="${BLS_DIR}/${BLS_ID}.conf" - if [[ -f "${KERNEL_DIR}/bls.conf" ]]; then - cp -aT "${KERNEL_DIR}/bls.conf" "${BLS_TARGET}" || exit $? - else - mkbls "${KERNEL_VERSION}" \ - "$(date -u +%Y%m%d%H%M%S -d "$(stat -c '%y' "${KERNEL_DIR}")")" \ - >"${BLS_TARGET}" - fi + mkbls "${KERNEL_VERSION}" \ + "$(date -u +%Y%m%d%H%M%S -d "$(stat -c '%y' "${KERNEL_DIR}")")" \ + >"${BLS_TARGET}" + command -v restorecon &>/dev/null && restorecon -R "${BLS_TARGET}" LINUX="$(grep '^linux[ \t]' "${BLS_TARGET}" | sed -e 's,^linux[ \t]*,,')" INITRD="$(grep '^initrd[ \t]' "${BLS_TARGET}" | sed -e 's,^initrd[ \t]*,,')" diff --git a/SOURCES/grub.macros b/SOURCES/grub.macros index 8baf627..78e43e9 100644 --- a/SOURCES/grub.macros +++ b/SOURCES/grub.macros @@ -595,14 +595,15 @@ install -d -m 0700 ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig \ touch ${RPM_BUILD_ROOT}%{_sysconfdir}/default/grub \ ln -sf ../default/grub \\\ ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig/grub \ -touch ${RPM_BUILD_ROOT}/boot/%{name}/grub.cfg \ +touch grub.cfg \ +install -m 0600 grub.cfg ${RPM_BUILD_ROOT}/boot/%{name}/ \ %{nil} %define define_legacy_variant_files() \ %{expand:%%files %{1}} \ %defattr(-,root,root,-) \ %config(noreplace) %{_sysconfdir}/%{name}.cfg \ -%ghost %config(noreplace) %attr(0700,root,root)/boot/%{name}/grub.cfg \ +%ghost %config(noreplace) %attr(0600,root,root)/boot/%{name}/grub.cfg \ %dir %attr(0700,root,root)/boot/loader/entries \ %ifarch ppc64le \ %dir %{_libdir}/grub/%{2}/ \ diff --git a/SOURCES/grub.patches b/SOURCES/grub.patches index 505a35f..f4e1ebf 100644 --- a/SOURCES/grub.patches +++ b/SOURCES/grub.patches @@ -588,3 +588,4 @@ Patch0587: 0587-fs-ntfs-Fix-an-OOB-read-when-parsing-directory-entri.patch Patch0588: 0588-fs-ntfs-Fix-an-OOB-read-when-parsing-bitmaps-for-ind.patch Patch0589: 0589-fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-label.patch Patch0590: 0590-fs-ntfs-Make-code-more-readable.patch +Patch0591: 0591-grub-mkconfig.in-turn-off-executable-owner-bit.patch diff --git a/SPECS/grub2.spec b/SPECS/grub2.spec index bc81f1e..f8feadd 100644 --- a/SPECS/grub2.spec +++ b/SPECS/grub2.spec @@ -11,7 +11,7 @@ Name: grub2 Epoch: 1 Version: 2.02 -Release: 156%{?dist}.alma.1 +Release: 158%{?dist}.alma.1 Summary: Bootloader with support for Linux, Multiboot and more Group: System Environment/Base License: GPLv3+ @@ -312,6 +312,19 @@ if [ "$1" = 2 ]; then /sbin/grub2-switch-to-blscfg --backup-suffix=.rpmsave &>/dev/null || : fi +%posttrans common +set -eu + +GRUB_HOME=/boot/%{name} + +if test -f ${GRUB_HOME}/grub.cfg; then + # make sure GRUB_HOME/grub.cfg has 600 permissions + GRUB_CFG_MODE=$(stat --format="%a" ${GRUB_HOME}/grub.cfg) + if ! test "${GRUB_CFG_MODE}" = "600"; then + chmod 0600 ${GRUB_HOME}/grub.cfg + fi +fi + %triggerun -- grub2 < 1:1.99-4 # grub2 < 1.99-4 removed a number of essential files in postun. To fix upgrades # from the affected grub2 packages, we first back up the files in triggerun and @@ -526,9 +539,17 @@ fi %endif %changelog -* Wed Apr 10 2024 Andrew Lukoshko - 2.02-156.alma.1 +* Tue Nov 05 2024 Eduard Abdullin - 2.02-158.alma.1 - Debrand for AlmaLinux +* Thu Sep 19 2024 Leo Sandoval - 2.02-158 +- grub-mkconfig.in: turn off executable owner bit +- Resolves: #RHEL-58835 + +* Wed Aug 14 2024 Leo Sandoval - 2.02-157 +- 20-grub-install: fix SELinux security type context for BLS +- Resolves: #RHEL-4395 + * Tue Feb 20 2024 Nicolas Frayer - 2.02-156 - fs/ntfs: OOB write fix - (CVE-2023-4692)