boot/grub2/0148-templates-Disable-the-os-prober-by-default.patch - buildroot - Git at Google

 From e346414725a70e5c74ee87ca14e580c66f517666 Mon Sep 17 00:00:00 2001
 From: Alex Burmashev <alexander.burmashev@oracle.com>
 Date: Tue, 16 Feb 2021 11:12:12 +0100
 Subject: [PATCH] templates: Disable the os-prober by default

 The os-prober is enabled by default what may lead to potentially
 dangerous use cases and borderline opening attack vectors. This
 patch disables the os-prober, adds warning messages and updates
 GRUB_DISABLE_OS_PROBER configuration option documentation. This
 way we make it clear that the os-prober usage is not recommended.

 Simplistic nature of this change allows downstream vendors, who
 really want os-prober to be enabled out of the box in their
 relevant products, easily revert to it's old behavior.

 Reported-by: NyankoSec (<nyanko@10x.moe>, https://twitter.com/NyankoSec),
              working with SSD Secure Disclosure
 Signed-off-by: Alex Burmashev <alexander.burmashev@oracle.com>
 Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
 Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
 ---
  docs/grub.texi              | 18 ++++++++++--------
  util/grub.d/30_os-prober.in |  5 ++++-
  2 files changed, 14 insertions(+), 9 deletions(-)

 diff --git a/docs/grub.texi b/docs/grub.texi
 index e302797..45a9f80 100644
 --- a/docs/grub.texi
 +++ b/docs/grub.texi
 @@ -1481,10 +1481,13 @@ boot sequence.  If you have problems, set this option to @samp{text} and
  GRUB will tell Linux to boot in normal text mode.

  @item GRUB_DISABLE_OS_PROBER
 -Normally, @command{grub-mkconfig} will try to use the external
 -@command{os-prober} program, if installed, to discover other operating
 -systems installed on the same system and generate appropriate menu entries
 -for them.  Set this option to @samp{true} to disable this.
 +The @command{grub-mkconfig} has a feature to use the external
 +@command{os-prober} program to discover other operating systems installed on
 +the same machine and generate appropriate menu entries for them. It is disabled
 +by default since automatic and silent execution of @command{os-prober}, and
 +creating boot entries based on that data, is a potential attack vector. Set
 +this option to @samp{false} to enable this feature in the
 +@command{grub-mkconfig} command.

  @item GRUB_OS_PROBER_SKIP_LIST
  List of space-separated FS UUIDs of filesystems to be ignored from os-prober
 @@ -1812,10 +1815,9 @@ than zero; otherwise 0.
  @section Multi-boot manual config

  Currently autogenerating config files for multi-boot environments depends on
 -os-prober and has several shortcomings. While fixing it is scheduled for the
 -next release, meanwhile you can make use of the power of GRUB syntax and do it
 -yourself. A possible configuration is detailed here, feel free to adjust to your
 -needs.
 +os-prober and has several shortcomings. Due to that it is disabled by default.
 +It is advised to use the power of GRUB syntax and do it yourself. A possible
 +configuration is detailed here, feel free to adjust to your needs.

  First create a separate GRUB partition, big enough to hold GRUB. Some of the
  following entries show how to load OS installer images from this same partition,
 diff --git a/util/grub.d/30_os-prober.in b/util/grub.d/30_os-prober.in
 index 515a68c..99de043 100644
 --- a/util/grub.d/30_os-prober.in
 +++ b/util/grub.d/30_os-prober.in
 @@ -26,7 +26,8 @@ export TEXTDOMAINDIR="@localedir@"

  . "$pkgdatadir/grub-mkconfig_lib"

 -if [ "x${GRUB_DISABLE_OS_PROBER}" = "xtrue" ]; then
 +if [ "x${GRUB_DISABLE_OS_PROBER}" = "xfalse" ]; then
 +  gettext_printf "os-prober will not be executed to detect other bootable partitions.\nSystems on them will not be added to the GRUB boot configuration.\nCheck GRUB_DISABLE_OS_PROBER documentation entry.\n"
    exit 0
  fi

 @@ -39,6 +40,8 @@ OSPROBED="`os-prober | tr ' ' '^' | paste -s -d ' '`"
  if [ -z "${OSPROBED}" ] ; then
    # empty os-prober output, nothing doing
    exit 0
 +else
 +  grub_warn "$(gettext_printf "os-prober was executed to detect other bootable partitions.\nIt's output will be used to detect bootable binaries on them and create new boot entries.")"
  fi

  osx_entry() {
 --
 2.14.2
	From e346414725a70e5c74ee87ca14e580c66f517666 Mon Sep 17 00:00:00 2001
	From: Alex Burmashev <alexander.burmashev@oracle.com>
	Date: Tue, 16 Feb 2021 11:12:12 +0100
	Subject: [PATCH] templates: Disable the os-prober by default

	The os-prober is enabled by default what may lead to potentially
	dangerous use cases and borderline opening attack vectors. This
	patch disables the os-prober, adds warning messages and updates
	GRUB_DISABLE_OS_PROBER configuration option documentation. This
	way we make it clear that the os-prober usage is not recommended.

	Simplistic nature of this change allows downstream vendors, who
	really want os-prober to be enabled out of the box in their
	relevant products, easily revert to it's old behavior.

	Reported-by: NyankoSec (<nyanko@10x.moe>, https://twitter.com/NyankoSec),
	working with SSD Secure Disclosure
	Signed-off-by: Alex Burmashev <alexander.burmashev@oracle.com>
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
	Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
	---
	docs/grub.texi \| 18 ++++++++++--------
	util/grub.d/30_os-prober.in \| 5 ++++-
	2 files changed, 14 insertions(+), 9 deletions(-)

	diff --git a/docs/grub.texi b/docs/grub.texi
	index e302797..45a9f80 100644
	--- a/docs/grub.texi
	+++ b/docs/grub.texi
	@@ -1481,10 +1481,13 @@ boot sequence. If you have problems, set this option to @samp{text} and
	GRUB will tell Linux to boot in normal text mode.

	@item GRUB_DISABLE_OS_PROBER
	-Normally, @command{grub-mkconfig} will try to use the external
	-@command{os-prober} program, if installed, to discover other operating
	-systems installed on the same system and generate appropriate menu entries
	-for them. Set this option to @samp{true} to disable this.
	+The @command{grub-mkconfig} has a feature to use the external
	+@command{os-prober} program to discover other operating systems installed on
	+the same machine and generate appropriate menu entries for them. It is disabled
	+by default since automatic and silent execution of @command{os-prober}, and
	+creating boot entries based on that data, is a potential attack vector. Set
	+this option to @samp{false} to enable this feature in the
	+@command{grub-mkconfig} command.

	@item GRUB_OS_PROBER_SKIP_LIST
	List of space-separated FS UUIDs of filesystems to be ignored from os-prober
	@@ -1812,10 +1815,9 @@ than zero; otherwise 0.
	@section Multi-boot manual config

	Currently autogenerating config files for multi-boot environments depends on
	-os-prober and has several shortcomings. While fixing it is scheduled for the
	-next release, meanwhile you can make use of the power of GRUB syntax and do it
	-yourself. A possible configuration is detailed here, feel free to adjust to your
	-needs.
	+os-prober and has several shortcomings. Due to that it is disabled by default.
	+It is advised to use the power of GRUB syntax and do it yourself. A possible
	+configuration is detailed here, feel free to adjust to your needs.

	First create a separate GRUB partition, big enough to hold GRUB. Some of the
	following entries show how to load OS installer images from this same partition,
	diff --git a/util/grub.d/30_os-prober.in b/util/grub.d/30_os-prober.in
	index 515a68c..99de043 100644
	--- a/util/grub.d/30_os-prober.in
	+++ b/util/grub.d/30_os-prober.in
	@@ -26,7 +26,8 @@ export TEXTDOMAINDIR="@localedir@"

	. "$pkgdatadir/grub-mkconfig_lib"

	-if [ "x${GRUB_DISABLE_OS_PROBER}" = "xtrue" ]; then
	+if [ "x${GRUB_DISABLE_OS_PROBER}" = "xfalse" ]; then
	+ gettext_printf "os-prober will not be executed to detect other bootable partitions.\nSystems on them will not be added to the GRUB boot configuration.\nCheck GRUB_DISABLE_OS_PROBER documentation entry.\n"
	exit 0
	fi

	@@ -39,6 +40,8 @@ OSPROBED="`os-prober \| tr ' ' '^' \| paste -s -d ' '`"
	if [ -z "${OSPROBED}" ] ; then
	# empty os-prober output, nothing doing
	exit 0
	+else
	+ grub_warn "$(gettext_printf "os-prober was executed to detect other bootable partitions.\nIt's output will be used to detect bootable binaries on them and create new boot entries.")"
	fi

	osx_entry() {
	--
	2.14.2