Compare commits
No commits in common. "c8" and "c8-beta" have entirely different histories.
6
.gitignore
vendored
6
.gitignore
vendored
@ -1,9 +1,3 @@
|
|||||||
SOURCES/grub-2.02.tar.xz
|
SOURCES/grub-2.02.tar.xz
|
||||||
SOURCES/redhatsecureboot301.cer
|
|
||||||
SOURCES/redhatsecureboot502.cer
|
|
||||||
SOURCES/redhatsecureboot601.cer
|
|
||||||
SOURCES/redhatsecureboot701.cer
|
|
||||||
SOURCES/redhatsecurebootca3.cer
|
|
||||||
SOURCES/redhatsecurebootca5.cer
|
|
||||||
SOURCES/theme.tar.bz2
|
SOURCES/theme.tar.bz2
|
||||||
SOURCES/unifont-5.1.20080820.pcf.gz
|
SOURCES/unifont-5.1.20080820.pcf.gz
|
||||||
|
@ -1,9 +1,3 @@
|
|||||||
3d7eb6eaab28b88cb969ba9ab24af959f4d1b178 SOURCES/grub-2.02.tar.xz
|
3d7eb6eaab28b88cb969ba9ab24af959f4d1b178 SOURCES/grub-2.02.tar.xz
|
||||||
4a07b56e28741884b86da6ac91f8f9929541a1e4 SOURCES/redhatsecureboot301.cer
|
|
||||||
3f94c47f1d08bacc7cb29bdd912e286b8d2f6fcf SOURCES/redhatsecureboot502.cer
|
|
||||||
039357ef97aab3e484d1119edd4528156f5859e6 SOURCES/redhatsecureboot601.cer
|
|
||||||
e89890ca0ded2f9058651cc5fa838b78db2e6cc2 SOURCES/redhatsecureboot701.cer
|
|
||||||
cf9230e69000076727e5b784ec871d22716dc5da SOURCES/redhatsecurebootca3.cer
|
|
||||||
e6f506462069aa17d2e8610503635c20f3a995c3 SOURCES/redhatsecurebootca5.cer
|
|
||||||
cf0b7763c528902da7e8b05cfa248f20c8825ce5 SOURCES/theme.tar.bz2
|
cf0b7763c528902da7e8b05cfa248f20c8825ce5 SOURCES/theme.tar.bz2
|
||||||
87f8600ba24e521b5d20bdf6c4b71af8ae861e3a SOURCES/unifont-5.1.20080820.pcf.gz
|
87f8600ba24e521b5d20bdf6c4b71af8ae861e3a SOURCES/unifont-5.1.20080820.pcf.gz
|
||||||
|
@ -1,27 +0,0 @@
|
|||||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Leo Sandoval <lsandova@redhat.com>
|
|
||||||
Date: Thu, 19 Sep 2024 10:15:13 -0600
|
|
||||||
Subject: [PATCH] grub-mkconfig.in: turn off executable owner bit
|
|
||||||
|
|
||||||
Stricker permissions are required on the grub.cfg file, resulting in
|
|
||||||
at most 0600 owner's file permissions. This resolves conflicting
|
|
||||||
requirement permissions on grub2-pc package's grub2.cfg file.
|
|
||||||
|
|
||||||
Signed-off-by: Leo Sandoval <lsandova@redhat.com>
|
|
||||||
---
|
|
||||||
util/grub-mkconfig.in | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
|
|
||||||
index a1c00776d..573004915 100644
|
|
||||||
--- a/util/grub-mkconfig.in
|
|
||||||
+++ b/util/grub-mkconfig.in
|
|
||||||
@@ -317,7 +317,7 @@ and /etc/grub.d/* files or please file a bug report with
|
|
||||||
exit 1
|
|
||||||
else
|
|
||||||
# none of the children aborted with error, install the new grub.cfg
|
|
||||||
- oldumask=$(umask); umask 077
|
|
||||||
+ oldumask=$(umask); umask 177
|
|
||||||
cat ${grub_cfg}.new > ${grub_cfg}
|
|
||||||
umask $oldumask
|
|
||||||
rm -f ${grub_cfg}.new
|
|
@ -90,10 +90,13 @@ case "$COMMAND" in
|
|||||||
[[ -d "$BLS_DIR" ]] || mkdir -m 0700 -p "$BLS_DIR"
|
[[ -d "$BLS_DIR" ]] || mkdir -m 0700 -p "$BLS_DIR"
|
||||||
BLS_ID="${MACHINE_ID}-${KERNEL_VERSION}"
|
BLS_ID="${MACHINE_ID}-${KERNEL_VERSION}"
|
||||||
BLS_TARGET="${BLS_DIR}/${BLS_ID}.conf"
|
BLS_TARGET="${BLS_DIR}/${BLS_ID}.conf"
|
||||||
mkbls "${KERNEL_VERSION}" \
|
if [[ -f "${KERNEL_DIR}/bls.conf" ]]; then
|
||||||
"$(date -u +%Y%m%d%H%M%S -d "$(stat -c '%y' "${KERNEL_DIR}")")" \
|
cp -aT "${KERNEL_DIR}/bls.conf" "${BLS_TARGET}" || exit $?
|
||||||
>"${BLS_TARGET}"
|
else
|
||||||
command -v restorecon &>/dev/null && restorecon -R "${BLS_TARGET}"
|
mkbls "${KERNEL_VERSION}" \
|
||||||
|
"$(date -u +%Y%m%d%H%M%S -d "$(stat -c '%y' "${KERNEL_DIR}")")" \
|
||||||
|
>"${BLS_TARGET}"
|
||||||
|
fi
|
||||||
|
|
||||||
LINUX="$(grep '^linux[ \t]' "${BLS_TARGET}" | sed -e 's,^linux[ \t]*,,')"
|
LINUX="$(grep '^linux[ \t]' "${BLS_TARGET}" | sed -e 's,^linux[ \t]*,,')"
|
||||||
INITRD="$(grep '^initrd[ \t]' "${BLS_TARGET}" | sed -e 's,^initrd[ \t]*,,')"
|
INITRD="$(grep '^initrd[ \t]' "${BLS_TARGET}" | sed -e 's,^initrd[ \t]*,,')"
|
||||||
@ -155,9 +158,8 @@ case "$COMMAND" in
|
|||||||
if [[ "x${GRUB_ENABLE_BLSCFG}" = "xtrue" ]] || [[ ! -f /sbin/new-kernel-pkg ]]; then
|
if [[ "x${GRUB_ENABLE_BLSCFG}" = "xtrue" ]] || [[ ! -f /sbin/new-kernel-pkg ]]; then
|
||||||
ARCH="$(uname -m)"
|
ARCH="$(uname -m)"
|
||||||
BLS_TARGET="${BLS_DIR}/${MACHINE_ID}-${KERNEL_VERSION}.conf"
|
BLS_TARGET="${BLS_DIR}/${MACHINE_ID}-${KERNEL_VERSION}.conf"
|
||||||
BLS_FAKE_TARGET="${BLS_DIR}/ffffffffffffffffffffffffffffffff-${KERNEL_VERSION}.conf"
|
|
||||||
BLS_DEBUG="$(echo ${BLS_TARGET} | sed -e "s/${KERNEL_VERSION}/${KERNEL_VERSION}~debug/")"
|
BLS_DEBUG="$(echo ${BLS_TARGET} | sed -e "s/${KERNEL_VERSION}/${KERNEL_VERSION}~debug/")"
|
||||||
rm -f "${BLS_TARGET}" "${BLS_DEBUG}" "${BLS_FAKE_TARGET}"
|
rm -f "${BLS_TARGET}" "${BLS_DEBUG}"
|
||||||
|
|
||||||
for i in vmlinuz System.map config zImage.stub dtb; do
|
for i in vmlinuz System.map config zImage.stub dtb; do
|
||||||
rm -rf "/boot/${i}-${KERNEL_VERSION}"
|
rm -rf "/boot/${i}-${KERNEL_VERSION}"
|
||||||
|
10
SOURCES/99-grub-mkconfig.install
Executable file → Normal file
10
SOURCES/99-grub-mkconfig.install
Executable file → Normal file
@ -9,22 +9,16 @@ ARCH=$(uname -m)
|
|||||||
[[ -f /etc/default/grub ]] && . /etc/default/grub
|
[[ -f /etc/default/grub ]] && . /etc/default/grub
|
||||||
|
|
||||||
# Can't assume a BLS capable bootloader on ppc64
|
# Can't assume a BLS capable bootloader on ppc64
|
||||||
if [[ x$GRUB_ENABLE_BLSCFG = xtrue &&
|
if [[ x$GRUB_ENABLE_BLSCFG != xfalse &&
|
||||||
$ARCH != "ppc64" && $ARCH != "ppc64le" ]]; then
|
$ARCH != "ppc64" && $ARCH != "ppc64le" ]]; then
|
||||||
exit 0
|
exit 0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
COMMAND="$1"
|
COMMAND="$1"
|
||||||
|
|
||||||
grub_cfg=/boot/grub2/grub.cfg
|
|
||||||
if mountpoint -q /boot/efi; then
|
|
||||||
os_name=$(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/' -e 's/\"//g')
|
|
||||||
grub_cfg=/boot/efi/EFI/$os_name/grub.cfg
|
|
||||||
fi
|
|
||||||
|
|
||||||
case "$COMMAND" in
|
case "$COMMAND" in
|
||||||
add|remove)
|
add|remove)
|
||||||
grub2-mkconfig --no-grubenv-update -o $grub_cfg >& /dev/null
|
grub2-mkconfig --no-grubenv-update -o /boot/grub2/grub.cfg >& /dev/null
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
;;
|
;;
|
||||||
|
@ -589,15 +589,14 @@ install -d -m 0700 ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig \
|
|||||||
touch ${RPM_BUILD_ROOT}%{_sysconfdir}/default/grub \
|
touch ${RPM_BUILD_ROOT}%{_sysconfdir}/default/grub \
|
||||||
ln -sf ../default/grub \\\
|
ln -sf ../default/grub \\\
|
||||||
${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig/grub \
|
${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig/grub \
|
||||||
touch grub.cfg \
|
touch ${RPM_BUILD_ROOT}/boot/%{name}/grub.cfg \
|
||||||
install -m 0600 grub.cfg ${RPM_BUILD_ROOT}/boot/%{name}/ \
|
|
||||||
%{nil}
|
%{nil}
|
||||||
|
|
||||||
%define define_legacy_variant_files() \
|
%define define_legacy_variant_files() \
|
||||||
%{expand:%%files %{1}} \
|
%{expand:%%files %{1}} \
|
||||||
%defattr(-,root,root,-) \
|
%defattr(-,root,root,-) \
|
||||||
%config(noreplace) %{_sysconfdir}/%{name}.cfg \
|
%config(noreplace) %{_sysconfdir}/%{name}.cfg \
|
||||||
%ghost %config(noreplace) %attr(0600,root,root)/boot/%{name}/grub.cfg \
|
%ghost %config(noreplace) %attr(0700,root,root)/boot/%{name}/grub.cfg \
|
||||||
%dir %attr(0700,root,root)/boot/loader/entries \
|
%dir %attr(0700,root,root)/boot/loader/entries \
|
||||||
%ifarch ppc64le \
|
%ifarch ppc64le \
|
||||||
%dir %{_libdir}/grub/%{2}/ \
|
%dir %{_libdir}/grub/%{2}/ \
|
||||||
|
@ -588,4 +588,3 @@ Patch0587: 0587-fs-ntfs-Fix-an-OOB-read-when-parsing-directory-entri.patch
|
|||||||
Patch0588: 0588-fs-ntfs-Fix-an-OOB-read-when-parsing-bitmaps-for-ind.patch
|
Patch0588: 0588-fs-ntfs-Fix-an-OOB-read-when-parsing-bitmaps-for-ind.patch
|
||||||
Patch0589: 0589-fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-label.patch
|
Patch0589: 0589-fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-label.patch
|
||||||
Patch0590: 0590-fs-ntfs-Make-code-more-readable.patch
|
Patch0590: 0590-fs-ntfs-Make-code-more-readable.patch
|
||||||
Patch0591: 0591-grub-mkconfig.in-turn-off-executable-owner-bit.patch
|
|
BIN
SOURCES/redhatsecureboot301.cer
Normal file
BIN
SOURCES/redhatsecureboot301.cer
Normal file
Binary file not shown.
BIN
SOURCES/redhatsecureboot502.cer
Normal file
BIN
SOURCES/redhatsecureboot502.cer
Normal file
Binary file not shown.
BIN
SOURCES/redhatsecureboot601.cer
Normal file
BIN
SOURCES/redhatsecureboot601.cer
Normal file
Binary file not shown.
BIN
SOURCES/redhatsecureboot701.cer
Normal file
BIN
SOURCES/redhatsecureboot701.cer
Normal file
Binary file not shown.
BIN
SOURCES/redhatsecurebootca3.cer
Normal file
BIN
SOURCES/redhatsecurebootca3.cer
Normal file
Binary file not shown.
BIN
SOURCES/redhatsecurebootca5.cer
Normal file
BIN
SOURCES/redhatsecurebootca5.cer
Normal file
Binary file not shown.
@ -7,7 +7,7 @@
|
|||||||
Name: grub2
|
Name: grub2
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
Version: 2.02
|
Version: 2.02
|
||||||
Release: 160%{?dist}
|
Release: 156%{?dist}
|
||||||
Summary: Bootloader with support for Linux, Multiboot and more
|
Summary: Bootloader with support for Linux, Multiboot and more
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
License: GPLv3+
|
License: GPLv3+
|
||||||
@ -310,19 +310,6 @@ if [ "$1" = 2 ]; then
|
|||||||
/sbin/grub2-switch-to-blscfg --backup-suffix=.rpmsave &>/dev/null || :
|
/sbin/grub2-switch-to-blscfg --backup-suffix=.rpmsave &>/dev/null || :
|
||||||
fi
|
fi
|
||||||
|
|
||||||
%posttrans common
|
|
||||||
set -eu
|
|
||||||
|
|
||||||
GRUB_HOME=/boot/%{name}
|
|
||||||
|
|
||||||
if test -f ${GRUB_HOME}/grub.cfg; then
|
|
||||||
# make sure GRUB_HOME/grub.cfg has 600 permissions
|
|
||||||
GRUB_CFG_MODE=$(stat --format="%a" ${GRUB_HOME}/grub.cfg)
|
|
||||||
if ! test "${GRUB_CFG_MODE}" = "600"; then
|
|
||||||
chmod 0600 ${GRUB_HOME}/grub.cfg
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
%triggerun -- grub2 < 1:1.99-4
|
%triggerun -- grub2 < 1:1.99-4
|
||||||
# grub2 < 1.99-4 removed a number of essential files in postun. To fix upgrades
|
# grub2 < 1.99-4 removed a number of essential files in postun. To fix upgrades
|
||||||
# from the affected grub2 packages, we first back up the files in triggerun and
|
# from the affected grub2 packages, we first back up the files in triggerun and
|
||||||
@ -523,22 +510,6 @@ fi
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Wed Nov 13 2024 Leo Sandoval <lsandova@redhat.com> - 2.02-160
|
|
||||||
- Remove BLS fake config in case of kernel removal
|
|
||||||
- Resolves: #RHEL-4316
|
|
||||||
|
|
||||||
* Tue Nov 12 2024 Leo Sandoval <lsandova@redhat.com> - 2.02-159
|
|
||||||
- Fix default behavior when GRUB_ENABLE_BLSCFG is not present
|
|
||||||
- Resolves: #RHEL-4319
|
|
||||||
|
|
||||||
* Thu Sep 19 2024 Leo Sandoval <lsandova@redhat.com> - 2.02-158
|
|
||||||
- grub-mkconfig.in: turn off executable owner bit
|
|
||||||
- Resolves: #RHEL-58835
|
|
||||||
|
|
||||||
* Wed Aug 14 2024 Leo Sandoval <lsandova@redhat.com> - 2.02-157
|
|
||||||
- 20-grub-install: fix SELinux security type context for BLS
|
|
||||||
- Resolves: #RHEL-4395
|
|
||||||
|
|
||||||
* Tue Feb 20 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.02-156
|
* Tue Feb 20 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.02-156
|
||||||
- fs/ntfs: OOB write fix
|
- fs/ntfs: OOB write fix
|
||||||
- (CVE-2023-4692)
|
- (CVE-2023-4692)
|
||||||
|
Loading…
Reference in New Issue
Block a user