Skip to content
This repository has been archived by the owner on Jan 15, 2024. It is now read-only.

Commit

Permalink
implement grub default boot menu entries:
Browse files Browse the repository at this point in the history 
    PERSISTENT mode USER (For daily activities.)
    LIVE mode USER (For daily activities.)
    PERSISTENT mode ADMIN (For software installation.)
    PERSISTENT mode SUPERADMIN (Be very cautious!)
    Recovery PERSISTENT mode SUPERADMIN (Be very cautious!)

https://forums.whonix.org/t/multiple-boot-modes-for-better-security-persistent-root-persistent-noroot-live-root-live-noroot/7708/32
  • Loading branch information
Patrick Schleizer committed Dec 13, 2019
1 parent 55c9984 commit b3817cd
Show file tree
Hide file tree
Showing 6 changed files with 151 additions and 0 deletions.
4 changes: 4 additions & 0 deletions etc/apt/apt.conf.d/50apparmor-profile-everything
View file
@@ -0,0 +1,4 @@
## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.

DPkg::Post-Invoke {"/usr/lib/apparmor-profile-everything/grub-cfg";};
10 changes: 10 additions & 0 deletions etc/default/grub.d/45_apparmor-profile-everything.conf
View file
@@ -0,0 +1,10 @@
## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.

## Disable the submenu to get rid of "Advanced options for" since that would
## be too many default grub menu entries.
GRUB_DISABLE_SUBMENU="y"

## We disable it here and then create our own menu entry so these it can be the
## last grub boot menu entry.
GRUB_DISABLE_RECOVERY="true"
24 changes: 24 additions & 0 deletions etc/grub.d/12_linux_admin
View file
@@ -0,0 +1,24 @@
#!/bin/sh

## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.

set -e

## required?
# GRUB_DEVICE="/dev/disk/by-uuid/${GRUB_DEVICE_UUID}"
# unset GRUB_DEVICE_UUID

GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX rootmode"
GRUB_DISTRIBUTOR="PERSISTENT mode ADMIN (For software installation.)"

export \
GRUB_DEVICE \
GRUB_CMDLINE_LINUX \
GRUB_DISTRIBUTOR \
GRUB_DISABLE_RECOVERY \
GRUB_DISABLE_SUBMENU

if test -x /etc/grub.d/10_linux ; then
/etc/grub.d/10_linux
fi
24 changes: 24 additions & 0 deletions etc/grub.d/14_linux_superadmin
View file
@@ -0,0 +1,24 @@
#!/bin/sh

## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.

set -e

## required?
# GRUB_DEVICE="/dev/disk/by-uuid/${GRUB_DEVICE_UUID}"
# unset GRUB_DEVICE_UUID

GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX superroot"
GRUB_DISTRIBUTOR="PERSISTENT mode ADMIN (For software installation.)"

export \
GRUB_DEVICE \
GRUB_CMDLINE_LINUX \
GRUB_DISTRIBUTOR \
GRUB_DISABLE_RECOVERY \
GRUB_DISABLE_SUBMENU

if test -x /etc/grub.d/10_linux ; then
/etc/grub.d/10_linux
fi
24 changes: 24 additions & 0 deletions etc/grub.d/16_linux_recovery_mode
View file
@@ -0,0 +1,24 @@
#!/bin/sh

## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.

set -e

## required?
# GRUB_DEVICE="/dev/disk/by-uuid/${GRUB_DEVICE_UUID}"
# unset GRUB_DEVICE_UUID

GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX single superroot"
GRUB_DISTRIBUTOR="Recovery PERSISTENT mode SUPERADMIN (Be very cautious!)"

export \
GRUB_DEVICE \
GRUB_CMDLINE_LINUX \
GRUB_DISTRIBUTOR \
GRUB_DISABLE_RECOVERY \
GRUB_DISABLE_SUBMENU

if test -x /etc/grub.d/10_linux ; then
/etc/grub.d/10_linux
fi
65 changes: 65 additions & 0 deletions usr/lib/apparmor-profile-everything/grub-cfg
View file
@@ -0,0 +1,65 @@
#!/bin/bash

set -x

shopt -s nullglob

## Find out variable GRUB_DISTRIBUTOR.
for config_file in /etc/default/grub /etc/default/grub.d/*.cfg ; do
if test -f "$config_file" ; then
source "$config_file"
fi
done

for file_name in /boot/vmlinuz-* ; do
## example file_name:
## /boot/vmlinuz-4.19.0-6-amd64
base_name="${file_name##*/}"
## example base_name:
## vmlinuz-4.19.0-6-amd64
search="vmlinuz-"
replace=""
version="$(echo "$base_name" | str_replace "$search" "$replace")"
## example version:
## 4.19.0-6-amd64"
## Stop after first file.
unset search
unset replace
break
done

if [ "$version" = "" ]; then
echo "$0: version is empty."
echo "$0: Running 'ls -la /boot/vmlinuz-*'..."
ls -la /boot/vmlinuz-*
exit 0
fi

file_replace="/boot/grub/grub.cfg"

if ! test -w "$file_replace" ; then
exit 0
fi

search=" GNU/Linux"
replace=""
str_replace "$search" "$replace" "$file_replace" &>/dev/null || echo "$0: failed"

search=", with Linux $version"
## example search: ', with Linux 4.19.0-6-amd64'
replace=""
str_replace "$search" "$replace" "$file_replace" &>/dev/null || echo "$0: failed"

search="menuentry '$GRUB_DISTRIBUTOR'"
## example search:
replace="menuentry 'PERSISTENT mode USER (For daily activities.)'"

str_replace "$search" "$replace" "$file_replace" &>/dev/null || echo "$0: failed"

search="menuentry '$GRUB_DISTRIBUTOR (recovery mode)'"
## example search:
replace="menuentry 'Recovery PERSISTENT mode SUPERADMIN (Be very cautious!)'"

str_replace "$search" "$replace" "$file_replace" &>/dev/null || echo "$0: failed"

exit 0

0 comments on commit b3817cd

Please sign in to comment.