>From 4ca4265ebf23d07405d3f4218d3ed6d858b4e1c5 Mon Sep 17 00:00:00 2001 From: Robin Schneider Date: Sat, 26 Dec 2015 21:53:30 +0100 Subject: [PATCH] Added GRUB_MENU_ENTRY_OPTIONS variable to add options to menu entries. Useful for making each menuentry '--unrestricted' when using GRUBs password protection feature. Ansible role which makes use of this patch: https://github.com/debops/ansible-grub/pull/7 My indented use case is to allow to add options like '--unrestricted' or '--users "Jane"' to each menuentry generated by grub-mkconfig without altering the scripts itself. Although the scripts end up under /etc in Debian, I did not think that changing these files (and `dpkg-divert`ing them) would be such a good idea. I have been searching for how to configure password protection and I did only find "hacks" which either suggest to edit the grub config under /boot/grub (which is totally outdated because the configurations is automatically generated in Debian) or change the "CLASS" variable in the grub.d scripts [12]0_.* scripts. So I did go with the later option. Patching these scripts with configuration management was not ideal so I decided to propose this patch upstream. With this patch in place it will be possible to configure this in /etc/default/grub without touching the scripts. This patch addresses the issue which is mentioned in this article (At least when the assumption is true that all menuentry of the same distribution should get the same restrictions/options): https://help.ubuntu.com/community/Grub2/Passwords#Protecting_Menuentries "There is currently no automated method of adding users or designating menu items to be protected. The user must manually edit the GRUB 2 scripts." --- util/grub-mkconfig.in | 3 ++- util/grub.d/10_hurd.in | 4 ++-- util/grub.d/10_illumos.in | 2 +- util/grub.d/10_kfreebsd.in | 4 ++-- util/grub.d/10_linux.in | 4 ++-- util/grub.d/10_netbsd.in | 4 ++-- util/grub.d/10_windows.in | 2 +- util/grub.d/10_xnu.in | 2 +- util/grub.d/20_linux_xen.in | 4 ++-- util/grub.d/30_os-prober.in | 14 +++++++------- 10 files changed, 22 insertions(+), 21 deletions(-) diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in index 3183744..8c6747b 100644 --- a/util/grub-mkconfig.in +++ b/util/grub-mkconfig.in @@ -227,7 +227,8 @@ export GRUB_DEFAULT \ GRUB_ENABLE_CRYPTODISK \ GRUB_BADRAM \ GRUB_OS_PROBER_SKIP_LIST \ - GRUB_DISABLE_SUBMENU + GRUB_DISABLE_SUBMENU \ + GRUB_MENU_ENTRY_OPTIONS if test "x${grub_cfg}" != "x"; then rm -f "${grub_cfg}.new" diff --git a/util/grub.d/10_hurd.in b/util/grub.d/10_hurd.in index 59a9a48..8dadaaa 100644 --- a/util/grub.d/10_hurd.in +++ b/util/grub.d/10_hurd.in @@ -100,11 +100,11 @@ hurd_entry () { grub_warn "$(gettext_printf "Please don't use old title \`%s' for GRUB_DEFAULT, use \`%s' (for versions before 2.00) or \`%s' (for 2.00 or later)" "$GRUB_ACTUAL_DEFAULT" "$replacement_title" "gnuhurd-advanced-$boot_device_id>'gnuhurd-$kernel-$type-$(grub_get_device_id "${GRUB_DEVICE_BOOT}")'")" fi sed "s/^/$submenu_indentation/" << EOF -menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnuhurd-$kernel-$type-$(grub_get_device_id "${GRUB_DEVICE_BOOT}")' { +menuentry '$(echo "$title" | grub_quote)' ${GRUB_MENU_ENTRY_OPTIONS} ${CLASS} \$menuentry_id_option 'gnuhurd-$kernel-$type-$(grub_get_device_id "${GRUB_DEVICE_BOOT}")' { EOF else sed "s/^/$submenu_indentation/" << EOF -menuentry '$(echo "$OS" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnuhurd-simple-$(grub_get_device_id "${GRUB_DEVICE_BOOT}")' { +menuentry '$(echo "$OS" | grub_quote)' ${GRUB_MENU_ENTRY_OPTIONS} ${CLASS} \$menuentry_id_option 'gnuhurd-simple-$(grub_get_device_id "${GRUB_DEVICE_BOOT}")' { EOF fi diff --git a/util/grub.d/10_illumos.in b/util/grub.d/10_illumos.in index a133e1b..799cf26 100644 --- a/util/grub.d/10_illumos.in +++ b/util/grub.d/10_illumos.in @@ -34,7 +34,7 @@ case "${GRUB_DISTRIBUTOR}" in ;; esac -echo "menuentry '$(echo "$OS" | grub_quote)' ${CLASS} \$menuentry_id_option 'illumos-$(grub_get_device_id "${GRUB_DEVICE_BOOT}")' {" +echo "menuentry '$(echo "$OS" | grub_quote)' ${GRUB_MENU_ENTRY_OPTIONS} ${CLASS} \$menuentry_id_option 'illumos-$(grub_get_device_id "${GRUB_DEVICE_BOOT}")' {" save_default_entry | grub_add_tab prepare_grub_to_access_device "${GRUB_DEVICE_BOOT}" | grub_add_tab message="$(gettext_printf "Loading kernel of Illumos ...")" diff --git a/util/grub.d/10_kfreebsd.in b/util/grub.d/10_kfreebsd.in index 9d8e8fd..ba45601 100644 --- a/util/grub.d/10_kfreebsd.in +++ b/util/grub.d/10_kfreebsd.in @@ -86,9 +86,9 @@ kfreebsd_entry () title_correction_code="${title_correction_code}if [ \"x\$default\" = '$quoted' ]; then default='$(echo "$replacement_title" | grub_quote)'; fi;" grub_warn "$(gettext_printf "Please don't use old title \`%s' for GRUB_DEFAULT, use \`%s' (for versions before 2.00) or \`%s' (for 2.00 or later)" "$GRUB_ACTUAL_DEFAULT" "$replacement_title" "kfreebsd-advanced-$boot_device_id>kfreebsd-$version-$type-$boot_device_id")" fi - echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'kfreebsd-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/" + echo "menuentry '$(echo "$title" | grub_quote)' ${GRUB_MENU_ENTRY_OPTIONS} ${CLASS} \$menuentry_id_option 'kfreebsd-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/" else - echo "menuentry '$(echo "$OS" | grub_quote)' ${CLASS} \$menuentry_id_option 'kfreebsd-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/" + echo "menuentry '$(echo "$OS" | grub_quote)' ${GRUB_MENU_ENTRY_OPTIONS} ${CLASS} \$menuentry_id_option 'kfreebsd-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/" fi if [ x$type != xrecovery ] ; then save_default_entry | grub_add_tab | sed "s/^/$submenu_indentation/" diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in index 859b608..535eeda 100644 --- a/util/grub.d/10_linux.in +++ b/util/grub.d/10_linux.in @@ -90,9 +90,9 @@ linux_entry () title_correction_code="${title_correction_code}if [ \"x\$default\" = '$quoted' ]; then default='$(echo "$replacement_title" | grub_quote)'; fi;" grub_warn "$(gettext_printf "Please don't use old title \`%s' for GRUB_DEFAULT, use \`%s' (for versions before 2.00) or \`%s' (for 2.00 or later)" "$GRUB_ACTUAL_DEFAULT" "$replacement_title" "gnulinux-advanced-$boot_device_id>gnulinux-$version-$type-$boot_device_id")" fi - echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/" + echo "menuentry '$(echo "$title" | grub_quote)' ${GRUB_MENU_ENTRY_OPTIONS} ${CLASS} \$menuentry_id_option 'gnulinux-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/" else - echo "menuentry '$(echo "$os" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/" + echo "menuentry '$(echo "$os" | grub_quote)' ${GRUB_MENU_ENTRY_OPTIONS} ${CLASS} \$menuentry_id_option 'gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/" fi if [ x$type != xrecovery ] ; then save_default_entry | grub_add_tab diff --git a/util/grub.d/10_netbsd.in b/util/grub.d/10_netbsd.in index 874f599..8587456 100644 --- a/util/grub.d/10_netbsd.in +++ b/util/grub.d/10_netbsd.in @@ -113,9 +113,9 @@ netbsd_entry () grub_warn "$(gettext_printf "Please don't use old title \`%s' for GRUB_DEFAULT, use \`%s' (for versions before 2.00) or \`%s' (for 2.00 or later)" "$GRUB_ACTUAL_DEFAULT" "$replacement_title" "netbsd-advanced-$boot_device_id>netbsd-${loader}-$kernel-$type-$boot_device_id")" fi - echo "menuentry '$(echo "$title" | grub_quote)' \$menuentry_id_option 'netbsd-${loader}-$kernel-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/" + echo "menuentry '$(echo "$title" | grub_quote)' ${GRUB_MENU_ENTRY_OPTIONS} \$menuentry_id_option 'netbsd-${loader}-$kernel-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/" else - echo "menuentry '$(echo "$OS" | grub_quote)' \$menuentry_id_option 'netbsd-${loader}-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/" + echo "menuentry '$(echo "$OS" | grub_quote)' ${GRUB_MENU_ENTRY_OPTIONS} \$menuentry_id_option 'netbsd-${loader}-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/" fi printf "%s\n" "${prepare_boot_cache}" | sed "s/^/$submenu_indentation/" diff --git a/util/grub.d/10_windows.in b/util/grub.d/10_windows.in index 554c561..3f120f1 100644 --- a/util/grub.d/10_windows.in +++ b/util/grub.d/10_windows.in @@ -84,7 +84,7 @@ for drv in $drives ; do gettext_printf "Found %s on %s (%s)\n" "$OS" "$drv" "$dev" >&2 cat << EOF -menuentry '$(echo "$OS" | grub_quote)' \$menuentry_id_option '$osid-$(grub_get_device_id "${dev}")' { +menuentry '$(echo "$OS" | grub_quote)' ${GRUB_MENU_ENTRY_OPTIONS} \$menuentry_id_option '$osid-$(grub_get_device_id "${dev}")' { EOF save_default_entry | sed -e 's,^,$grub_tab,' diff --git a/util/grub.d/10_xnu.in b/util/grub.d/10_xnu.in index 51ee2f4..1d2c45a 100644 --- a/util/grub.d/10_xnu.in +++ b/util/grub.d/10_xnu.in @@ -37,7 +37,7 @@ osx_entry() { # TRANSLATORS: it refers on the OS residing on device %s onstr="$(gettext_printf "(on %s)" "${GRUB_DEVICE}")" cat << EOF -menuentry '$(echo "Darwin/Mac OS X $bitstr $onstr" | grub_quote)' --class osx --class darwin --class os \$menuentry_id_option 'osprober-xnu-$2-$(grub_get_device_id "${GRUB_DEVICE}")' { +menuentry '$(echo "Darwin/Mac OS X $bitstr $onstr" | grub_quote)' ${GRUB_MENU_ENTRY_OPTIONS} --class osx --class darwin --class os \$menuentry_id_option 'osprober-xnu-$2-$(grub_get_device_id "${GRUB_DEVICE}")' { EOF save_default_entry | grub_add_tab prepare_grub_to_access_device ${GRUB_DEVICE} | grub_add_tab diff --git a/util/grub.d/20_linux_xen.in b/util/grub.d/20_linux_xen.in index f532fb9..c655179 100644 --- a/util/grub.d/20_linux_xen.in +++ b/util/grub.d/20_linux_xen.in @@ -98,10 +98,10 @@ linux_entry () title_correction_code="${title_correction_code}if [ \"x\$default\" = '$quoted' ]; then default='$(echo "$replacement_title" | grub_quote)'; fi;" grub_warn "$(gettext_printf "Please don't use old title \`%s' for GRUB_DEFAULT, use \`%s' (for versions before 2.00) or \`%s' (for 2.00 or later)" "$GRUB_ACTUAL_DEFAULT" "$replacement_title" "gnulinux-advanced-$boot_device_id>gnulinux-$version-$type-$boot_device_id")" fi - echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'xen-gnulinux-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/" + echo "menuentry '$(echo "$title" | grub_quote)' ${GRUB_MENU_ENTRY_OPTIONS} ${CLASS} \$menuentry_id_option 'xen-gnulinux-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/" else title="$(gettext_printf "%s, with Xen hypervisor" "${os}")" - echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'xen-gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/" + echo "menuentry '$(echo "$title" | grub_quote)' ${GRUB_MENU_ENTRY_OPTIONS} ${CLASS} \$menuentry_id_option 'xen-gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/" fi if [ x$type != xrecovery ] ; then save_default_entry | grub_add_tab | sed "s/^/$submenu_indentation/" diff --git a/util/grub.d/30_os-prober.in b/util/grub.d/30_os-prober.in index 5fc4f0c..8be9c69 100644 --- a/util/grub.d/30_os-prober.in +++ b/util/grub.d/30_os-prober.in @@ -52,7 +52,7 @@ osx_entry() { # TRANSLATORS: it refers on the OS residing on device %s onstr="$(gettext_printf "(on %s)" "${DEVICE}")" cat << EOF -menuentry '$(echo "${LONGNAME} $bitstr $onstr" | grub_quote)' --class osx --class darwin --class os \$menuentry_id_option 'osprober-xnu-$2-$(grub_get_device_id "${DEVICE}")' { +menuentry '$(echo "${LONGNAME} $bitstr $onstr" | grub_quote)' ${GRUB_MENU_ENTRY_OPTIONS} --class osx --class darwin --class os \$menuentry_id_option 'osprober-xnu-$2-$(grub_get_device_id "${DEVICE}")' { EOF save_default_entry | grub_add_tab prepare_grub_to_access_device ${DEVICE} | grub_add_tab @@ -142,7 +142,7 @@ for OS in ${OSPROBED} ; do onstr="$(gettext_printf "(on %s)" "${DEVICE}")" cat << EOF -menuentry '$(echo "${LONGNAME} $onstr" | grub_quote)' --class windows --class os \$menuentry_id_option 'osprober-chain-$(grub_get_device_id "${DEVICE}")' { +menuentry '$(echo "${LONGNAME} $onstr" | grub_quote)' ${GRUB_MENU_ENTRY_OPTIONS} --class windows --class os \$menuentry_id_option 'osprober-chain-$(grub_get_device_id "${DEVICE}")' { EOF save_default_entry | grub_add_tab prepare_grub_to_access_device ${DEVICE} | grub_add_tab @@ -174,7 +174,7 @@ EOF address@hidden onstr="$(gettext_printf "(on %s)" "${DEVICE}")" cat << EOF -menuentry '$(echo "${LONGNAME} $onstr" | grub_quote)' --class windows --class os \$menuentry_id_option 'osprober-efi-$(grub_get_device_id "${DEVICE}")' { +menuentry '$(echo "${LONGNAME} $onstr" | grub_quote)' ${GRUB_MENU_ENTRY_OPTIONS} --class windows --class os \$menuentry_id_option 'osprober-efi-$(grub_get_device_id "${DEVICE}")' { EOF save_default_entry | sed -e "s/^/\t/" prepare_grub_to_access_device ${DEVICE} | sed -e "s/^/\t/" @@ -230,7 +230,7 @@ EOF if [ "x$is_top_level" = xtrue ] && [ "x${GRUB_DISABLE_SUBMENU}" != xy ]; then cat << EOF -menuentry '$(echo "$OS $onstr" | grub_quote)' --class gnu-linux --class gnu --class os \$menuentry_id_option 'osprober-gnulinux-simple-$boot_device_id' { +menuentry '$(echo "$OS $onstr" | grub_quote)' ${GRUB_MENU_ENTRY_OPTIONS} --class gnu-linux --class gnu --class os \$menuentry_id_option 'osprober-gnulinux-simple-$boot_device_id' { EOF save_default_entry | grub_add_tab printf '%s\n' "${prepare_boot_cache}" @@ -250,7 +250,7 @@ EOF fi title="${LLABEL} $onstr" cat << EOF - menuentry '$(echo "$title" | grub_quote)' --class gnu-linux --class gnu --class os \$menuentry_id_option 'osprober-gnulinux-$LKERNEL-${recovery_params}-$boot_device_id' { + menuentry '$(echo "$title" | grub_quote)' ${GRUB_MENU_ENTRY_OPTIONS} --class gnu-linux --class gnu --class os \$menuentry_id_option 'osprober-gnulinux-$LKERNEL-${recovery_params}-$boot_device_id' { EOF save_default_entry | sed -e "s/^/$grub_tab$grub_tab/" printf '%s\n' "${prepare_boot_cache}" | grub_add_tab @@ -287,7 +287,7 @@ EOF hurd) onstr="$(gettext_printf "(on %s)" "${DEVICE}")" cat << EOF -menuentry '$(echo "${LONGNAME} $onstr" | grub_quote)' --class hurd --class gnu --class os \$menuentry_id_option 'osprober-gnuhurd-/boot/gnumach.gz-false-$(grub_get_device_id "${DEVICE}")' { +menuentry '$(echo "${LONGNAME} $onstr" | grub_quote)' ${GRUB_MENU_ENTRY_OPTIONS} --class hurd --class gnu --class os \$menuentry_id_option 'osprober-gnuhurd-/boot/gnumach.gz-false-$(grub_get_device_id "${DEVICE}")' { EOF save_default_entry | grub_add_tab prepare_grub_to_access_device ${DEVICE} | grub_add_tab @@ -312,7 +312,7 @@ EOF ;; minix) cat << EOF -menuentry "${LONGNAME} (on ${DEVICE}, Multiboot)" { +menuentry "${LONGNAME} (on ${DEVICE}, Multiboot)" ${GRUB_MENU_ENTRY_OPTIONS} { EOF save_default_entry | sed -e "s/^/\t/" prepare_grub_to_access_device ${DEVICE} | sed -e "s/^/\t/" -- 2.1.4