291 lines
		
	
	
		
			8.3 KiB
		
	
	
	
		
			Diff
		
	
	
	
	
	
			
		
		
	
	
			291 lines
		
	
	
		
			8.3 KiB
		
	
	
	
		
			Diff
		
	
	
	
	
	
| From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 | |
| From: Hans de Goede <hdegoede@redhat.com>
 | |
| Date: Tue, 12 Jun 2018 13:25:16 +0200
 | |
| Subject: [PATCH] Add grub-set-bootflag utility
 | |
| 
 | |
| This commit adds a new grub-set-bootflag utility, which can be used
 | |
| to set known bootflags in the grubenv: boot_success or menu_show_once.
 | |
| 
 | |
| grub-set-bootflag is different from grub-editenv in 2 ways:
 | |
| 
 | |
| 1) It is intended to be executed by regular users so must be installed
 | |
| as suid root. As such it is written to not use any existing grubenv
 | |
| related code for easy auditing.
 | |
| 
 | |
| It can't be executed through pkexec because we want to call it under gdm
 | |
| and pkexec does not work under gdm due the gdm user having /sbin/nologin
 | |
| as shell.
 | |
| 
 | |
| 2) Since it can be executed by regular users it only allows setting
 | |
| (assigning a value of 1 to) bootflags which it knows about. Currently
 | |
| those are just boot_success and menu_show_once.
 | |
| 
 | |
| This commit also adds a couple of example systemd and files which show
 | |
| how this can be used to set boot_success from a user-session:
 | |
| 
 | |
| docs/grub-boot-success.service
 | |
| docs/grub-boot-success.timer
 | |
| 
 | |
| The 2 grub-boot-success.systemd files should be placed in /lib/systemd/user
 | |
| and a symlink to grub-boot-success.timer should be added to
 | |
| /lib/systemd/user/timers.target.wants.
 | |
| 
 | |
| Signed-off-by: Hans de Goede <hdegoede@redhat.com>
 | |
| [makhomed: grub-boot-success.timer: Only run if not in a container]
 | |
| Signed-off-by: Gena Makhomed <makhomed@gmail.com>
 | |
| [rharwood: migrate to h2m]
 | |
| Signed-off-by: Robbie Harwood <rharwood@redhat.com>
 | |
| ---
 | |
|  Makefile.util.def              |   7 ++
 | |
|  util/grub-set-bootflag.c       | 172 +++++++++++++++++++++++++++++++++++++++++
 | |
|  conf/Makefile.extra-dist       |   3 +
 | |
|  docs/grub-boot-success.service |   6 ++
 | |
|  docs/grub-boot-success.timer   |   7 ++
 | |
|  docs/man/grub-set-bootflag.h2m |   2 +
 | |
|  6 files changed, 197 insertions(+)
 | |
|  create mode 100644 util/grub-set-bootflag.c
 | |
|  create mode 100644 docs/grub-boot-success.service
 | |
|  create mode 100644 docs/grub-boot-success.timer
 | |
|  create mode 100644 docs/man/grub-set-bootflag.h2m
 | |
| 
 | |
| diff --git a/Makefile.util.def b/Makefile.util.def
 | |
| index 5b9f85d4869..01096ded815 100644
 | |
| --- a/Makefile.util.def
 | |
| +++ b/Makefile.util.def
 | |
| @@ -1468,3 +1468,10 @@ program = {
 | |
|    ldadd = grub-core/lib/gnulib/libgnu.a;
 | |
|    ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
 | |
|  };
 | |
| +
 | |
| +program = {
 | |
| +  name = grub-set-bootflag;
 | |
| +  installdir = sbin;
 | |
| +  mansection = 1;
 | |
| +  common = util/grub-set-bootflag.c;
 | |
| +};
 | |
| diff --git a/util/grub-set-bootflag.c b/util/grub-set-bootflag.c
 | |
| new file mode 100644
 | |
| index 00000000000..d506f7e75bc
 | |
| --- /dev/null
 | |
| +++ b/util/grub-set-bootflag.c
 | |
| @@ -0,0 +1,172 @@
 | |
| +/* grub-set-bootflag.c - tool to set boot-flags in the grubenv. */
 | |
| +/*
 | |
| + *  GRUB  --  GRand Unified Bootloader
 | |
| + *  Copyright (C) 2018 Free Software Foundation, Inc.
 | |
| + *
 | |
| + *  GRUB is free software: you can redistribute it and/or modify
 | |
| + *  it under the terms of the GNU General Public License as published by
 | |
| + *  the Free Software Foundation, either version 3 of the License, or
 | |
| + *  (at your option) any later version.
 | |
| + *
 | |
| + *  GRUB is distributed in the hope that it will be useful,
 | |
| + *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 | |
| + *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 | |
| + *  GNU General Public License for more details.
 | |
| + *
 | |
| + *  You should have received a copy of the GNU General Public License
 | |
| + *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
 | |
| + */
 | |
| +
 | |
| +/*
 | |
| + * NOTE this gets run by users as root (through pkexec), so this does not
 | |
| + * use any grub library / util functions to allow for easy auditing.
 | |
| + * The grub headers are only included to get certain defines.
 | |
| + */
 | |
| +
 | |
| +#include <config-util.h>     /* For *_DIR_NAME defines */
 | |
| +#include <grub/types.h>
 | |
| +#include <grub/lib/envblk.h> /* For GRUB_ENVBLK_DEFCFG define */
 | |
| +#include <errno.h>
 | |
| +#include <stdio.h>
 | |
| +#include <string.h>
 | |
| +#include <unistd.h>
 | |
| +
 | |
| +#include "progname.h"
 | |
| +
 | |
| +#define GRUBENV "/" GRUB_BOOT_DIR_NAME "/" GRUB_DIR_NAME "/" GRUB_ENVBLK_DEFCFG
 | |
| +#define GRUBENV_SIZE 1024
 | |
| +
 | |
| +const char *bootflags[] = {
 | |
| +  "boot_success",
 | |
| +  "menu_show_once",
 | |
| +  NULL
 | |
| +};
 | |
| +
 | |
| +static void usage(FILE *out)
 | |
| +{
 | |
| +  int i;
 | |
| +
 | |
| +  fprintf (out, "Usage: 'grub-set-bootflag <bootflag>', where <bootflag> is one of:\n");
 | |
| +  for (i = 0; bootflags[i]; i++)
 | |
| +    fprintf (out, "  %s\n", bootflags[i]);
 | |
| +}
 | |
| +
 | |
| +int main(int argc, char *argv[])
 | |
| +{
 | |
| +  /* NOTE buf must be at least the longest bootflag length + 4 bytes */
 | |
| +  char env[GRUBENV_SIZE + 1], buf[64], *s;
 | |
| +  const char *bootflag;
 | |
| +  int i, len, ret;
 | |
| +  FILE *f;
 | |
| +
 | |
| +  if (argc != 2)
 | |
| +    {
 | |
| +      usage (stderr);
 | |
| +      return 1;
 | |
| +    }
 | |
| +  else if (!strcmp (argv[1], "--help"))
 | |
| +    {
 | |
| +      usage (stdout);
 | |
| +      return 0;
 | |
| +    }
 | |
| +  else if (!strcmp (argv[1], "--version"))
 | |
| +    {
 | |
| +      printf ("grub-set-bootflag (%s) %s\n", PACKAGE_NAME, PACKAGE_VERSION);
 | |
| +      return 0;
 | |
| +    }
 | |
| +
 | |
| +  for (i = 0; bootflags[i]; i++)
 | |
| +    if (!strcmp (argv[1], bootflags[i]))
 | |
| +      break;
 | |
| +  if (!bootflags[i])
 | |
| +    {
 | |
| +      fprintf (stderr, "Invalid bootflag: '%s'\n", argv[1]);
 | |
| +      usage (stderr);
 | |
| +      return 1;
 | |
| +    }
 | |
| +
 | |
| +  bootflag = bootflags[i];
 | |
| +  len = strlen (bootflag);
 | |
| +
 | |
| +  f = fopen (GRUBENV, "r");
 | |
| +  if (!f)
 | |
| +    {
 | |
| +      perror ("Error opening " GRUBENV " for reading");
 | |
| +      return 1;     
 | |
| +    }
 | |
| +
 | |
| +  ret = fread (env, 1, GRUBENV_SIZE, f);
 | |
| +  fclose (f);
 | |
| +  if (ret != GRUBENV_SIZE)
 | |
| +    {
 | |
| +      errno = EINVAL;
 | |
| +      perror ("Error reading from " GRUBENV);
 | |
| +      return 1;     
 | |
| +    }
 | |
| +
 | |
| +  /* 0 terminate env */
 | |
| +  env[GRUBENV_SIZE] = 0;
 | |
| +
 | |
| +  if (strncmp (env, GRUB_ENVBLK_SIGNATURE, strlen (GRUB_ENVBLK_SIGNATURE)))
 | |
| +    {
 | |
| +      fprintf (stderr, "Error invalid environment block\n");
 | |
| +      return 1;
 | |
| +    }
 | |
| +
 | |
| +  /* Find a pre-existing definition of the bootflag */
 | |
| +  s = strstr (env, bootflag);
 | |
| +  while (s && s[len] != '=')
 | |
| +    s = strstr (s + len, bootflag);
 | |
| +
 | |
| +  if (s && ((s[len + 1] != '0' && s[len + 1] != '1') || s[len + 2] != '\n'))
 | |
| +    {
 | |
| +      fprintf (stderr, "Pre-existing bootflag '%s' has unexpected value\n", bootflag);
 | |
| +      return 1;     
 | |
| +    }
 | |
| +
 | |
| +  /* No pre-existing bootflag? -> find free space */
 | |
| +  if (!s)
 | |
| +    {
 | |
| +      for (i = 0; i < (len + 3); i++)
 | |
| +        buf[i] = '#';
 | |
| +      buf[i] = 0;
 | |
| +      s = strstr (env, buf);
 | |
| +    }
 | |
| +
 | |
| +  if (!s)
 | |
| +    {
 | |
| +      fprintf (stderr, "No space in grubenv to store bootflag '%s'\n", bootflag);
 | |
| +      return 1;     
 | |
| +    }
 | |
| +
 | |
| +  /* The grubenv is not 0 terminated, so memcpy the name + '=' , '1', '\n' */
 | |
| +  snprintf(buf, sizeof(buf), "%s=1\n", bootflag);
 | |
| +  memcpy(s, buf, len + 3);
 | |
| +
 | |
| +  /* "r+", don't truncate so that the diskspace stays reserved */
 | |
| +  f = fopen (GRUBENV, "r+");
 | |
| +  if (!f)
 | |
| +    {
 | |
| +      perror ("Error opening " GRUBENV " for writing");
 | |
| +      return 1;     
 | |
| +    }
 | |
| +
 | |
| +  ret = fwrite (env, 1, GRUBENV_SIZE, f);
 | |
| +  if (ret != GRUBENV_SIZE)
 | |
| +    {
 | |
| +      perror ("Error writing to " GRUBENV);
 | |
| +      return 1;     
 | |
| +    }
 | |
| +
 | |
| +  ret = fflush (f);
 | |
| +  if (ret)
 | |
| +    {
 | |
| +      perror ("Error flushing " GRUBENV);
 | |
| +      return 1;     
 | |
| +    }
 | |
| +
 | |
| +  fsync (fileno (f));
 | |
| +  fclose (f);
 | |
| +
 | |
| +  return 0;
 | |
| +}
 | |
| diff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist
 | |
| index 5e7126f9878..26ac8765e30 100644
 | |
| --- a/conf/Makefile.extra-dist
 | |
| +++ b/conf/Makefile.extra-dist
 | |
| @@ -15,6 +15,9 @@ EXTRA_DIST += docs/man
 | |
|  EXTRA_DIST += docs/autoiso.cfg
 | |
|  EXTRA_DIST += docs/grub.cfg
 | |
|  EXTRA_DIST += docs/osdetect.cfg
 | |
| +EXTRA_DIST += docs/org.gnu.grub.policy
 | |
| +EXTRA_DIST += docs/grub-boot-success.service
 | |
| +EXTRA_DIST += docs/grub-boot-success.timer
 | |
|  
 | |
|  EXTRA_DIST += conf/i386-cygwin-img-ld.sc
 | |
|  
 | |
| diff --git a/docs/grub-boot-success.service b/docs/grub-boot-success.service
 | |
| new file mode 100644
 | |
| index 00000000000..80e79584c91
 | |
| --- /dev/null
 | |
| +++ b/docs/grub-boot-success.service
 | |
| @@ -0,0 +1,6 @@
 | |
| +[Unit]
 | |
| +Description=Mark boot as successful
 | |
| +
 | |
| +[Service]
 | |
| +Type=oneshot
 | |
| +ExecStart=/usr/sbin/grub2-set-bootflag boot_success
 | |
| diff --git a/docs/grub-boot-success.timer b/docs/grub-boot-success.timer
 | |
| new file mode 100644
 | |
| index 00000000000..406f1720056
 | |
| --- /dev/null
 | |
| +++ b/docs/grub-boot-success.timer
 | |
| @@ -0,0 +1,7 @@
 | |
| +[Unit]
 | |
| +Description=Mark boot as successful after the user session has run 2 minutes
 | |
| +ConditionUser=!@system
 | |
| +ConditionVirtualization=!container
 | |
| +
 | |
| +[Timer]
 | |
| +OnActiveSec=2min
 | |
| diff --git a/docs/man/grub-set-bootflag.h2m b/docs/man/grub-set-bootflag.h2m
 | |
| new file mode 100644
 | |
| index 00000000000..94ec0b92ede
 | |
| --- /dev/null
 | |
| +++ b/docs/man/grub-set-bootflag.h2m
 | |
| @@ -0,0 +1,2 @@
 | |
| +[NAME]
 | |
| +grub-set-bootflag \- set a bootflag in the GRUB environment block
 |