From b3817cde78f057e8e974961211006bb97cef42a9 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 13 Dec 2019 12:44:49 -0500 Subject: [PATCH] implement grub default boot menu entries: PERSISTENT mode USER (For daily activities.) LIVE mode USER (For daily activities.) PERSISTENT mode ADMIN (For software installation.) PERSISTENT mode SUPERADMIN (Be very cautious!) Recovery PERSISTENT mode SUPERADMIN (Be very cautious!) https://forums.whonix.org/t/multiple-boot-modes-for-better-security-persistent-root-persistent-noroot-live-root-live-noroot/7708/32 --- .../apt.conf.d/50apparmor-profile-everything | 4 ++ .../45_apparmor-profile-everything.conf | 10 +++ etc/grub.d/12_linux_admin | 24 +++++++ etc/grub.d/14_linux_superadmin | 24 +++++++ etc/grub.d/16_linux_recovery_mode | 24 +++++++ usr/lib/apparmor-profile-everything/grub-cfg | 65 +++++++++++++++++++ 6 files changed, 151 insertions(+) create mode 100644 etc/apt/apt.conf.d/50apparmor-profile-everything create mode 100644 etc/default/grub.d/45_apparmor-profile-everything.conf create mode 100755 etc/grub.d/12_linux_admin create mode 100755 etc/grub.d/14_linux_superadmin create mode 100755 etc/grub.d/16_linux_recovery_mode create mode 100755 usr/lib/apparmor-profile-everything/grub-cfg diff --git a/etc/apt/apt.conf.d/50apparmor-profile-everything b/etc/apt/apt.conf.d/50apparmor-profile-everything new file mode 100644 index 0000000..1f126cc --- /dev/null +++ b/etc/apt/apt.conf.d/50apparmor-profile-everything @@ -0,0 +1,4 @@ +## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +DPkg::Post-Invoke {"/usr/lib/apparmor-profile-everything/grub-cfg";}; diff --git a/etc/default/grub.d/45_apparmor-profile-everything.conf b/etc/default/grub.d/45_apparmor-profile-everything.conf new file mode 100644 index 0000000..232311c --- /dev/null +++ b/etc/default/grub.d/45_apparmor-profile-everything.conf @@ -0,0 +1,10 @@ +## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Disable the submenu to get rid of "Advanced options for" since that would +## be too many default grub menu entries. +GRUB_DISABLE_SUBMENU="y" + +## We disable it here and then create our own menu entry so these it can be the +## last grub boot menu entry. +GRUB_DISABLE_RECOVERY="true" diff --git a/etc/grub.d/12_linux_admin b/etc/grub.d/12_linux_admin new file mode 100755 index 0000000..6fecf70 --- /dev/null +++ b/etc/grub.d/12_linux_admin @@ -0,0 +1,24 @@ +#!/bin/sh + +## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +set -e + +## required? +# GRUB_DEVICE="/dev/disk/by-uuid/${GRUB_DEVICE_UUID}" +# unset GRUB_DEVICE_UUID + +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX rootmode" +GRUB_DISTRIBUTOR="PERSISTENT mode ADMIN (For software installation.)" + +export \ + GRUB_DEVICE \ + GRUB_CMDLINE_LINUX \ + GRUB_DISTRIBUTOR \ + GRUB_DISABLE_RECOVERY \ + GRUB_DISABLE_SUBMENU + +if test -x /etc/grub.d/10_linux ; then + /etc/grub.d/10_linux +fi diff --git a/etc/grub.d/14_linux_superadmin b/etc/grub.d/14_linux_superadmin new file mode 100755 index 0000000..2d1a655 --- /dev/null +++ b/etc/grub.d/14_linux_superadmin @@ -0,0 +1,24 @@ +#!/bin/sh + +## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +set -e + +## required? +# GRUB_DEVICE="/dev/disk/by-uuid/${GRUB_DEVICE_UUID}" +# unset GRUB_DEVICE_UUID + +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX superroot" +GRUB_DISTRIBUTOR="PERSISTENT mode ADMIN (For software installation.)" + +export \ + GRUB_DEVICE \ + GRUB_CMDLINE_LINUX \ + GRUB_DISTRIBUTOR \ + GRUB_DISABLE_RECOVERY \ + GRUB_DISABLE_SUBMENU + +if test -x /etc/grub.d/10_linux ; then + /etc/grub.d/10_linux +fi diff --git a/etc/grub.d/16_linux_recovery_mode b/etc/grub.d/16_linux_recovery_mode new file mode 100755 index 0000000..268b2fb --- /dev/null +++ b/etc/grub.d/16_linux_recovery_mode @@ -0,0 +1,24 @@ +#!/bin/sh + +## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +set -e + +## required? +# GRUB_DEVICE="/dev/disk/by-uuid/${GRUB_DEVICE_UUID}" +# unset GRUB_DEVICE_UUID + +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX single superroot" +GRUB_DISTRIBUTOR="Recovery PERSISTENT mode SUPERADMIN (Be very cautious!)" + +export \ + GRUB_DEVICE \ + GRUB_CMDLINE_LINUX \ + GRUB_DISTRIBUTOR \ + GRUB_DISABLE_RECOVERY \ + GRUB_DISABLE_SUBMENU + +if test -x /etc/grub.d/10_linux ; then + /etc/grub.d/10_linux +fi diff --git a/usr/lib/apparmor-profile-everything/grub-cfg b/usr/lib/apparmor-profile-everything/grub-cfg new file mode 100755 index 0000000..a3aa13e --- /dev/null +++ b/usr/lib/apparmor-profile-everything/grub-cfg @@ -0,0 +1,65 @@ +#!/bin/bash + +set -x + +shopt -s nullglob + +## Find out variable GRUB_DISTRIBUTOR. +for config_file in /etc/default/grub /etc/default/grub.d/*.cfg ; do + if test -f "$config_file" ; then + source "$config_file" + fi +done + +for file_name in /boot/vmlinuz-* ; do + ## example file_name: + ## /boot/vmlinuz-4.19.0-6-amd64 + base_name="${file_name##*/}" + ## example base_name: + ## vmlinuz-4.19.0-6-amd64 + search="vmlinuz-" + replace="" + version="$(echo "$base_name" | str_replace "$search" "$replace")" + ## example version: + ## 4.19.0-6-amd64" + ## Stop after first file. + unset search + unset replace + break +done + +if [ "$version" = "" ]; then + echo "$0: version is empty." + echo "$0: Running 'ls -la /boot/vmlinuz-*'..." + ls -la /boot/vmlinuz-* + exit 0 +fi + +file_replace="/boot/grub/grub.cfg" + +if ! test -w "$file_replace" ; then + exit 0 +fi + +search=" GNU/Linux" +replace="" +str_replace "$search" "$replace" "$file_replace" &>/dev/null || echo "$0: failed" + +search=", with Linux $version" +## example search: ', with Linux 4.19.0-6-amd64' +replace="" +str_replace "$search" "$replace" "$file_replace" &>/dev/null || echo "$0: failed" + +search="menuentry '$GRUB_DISTRIBUTOR'" +## example search: +replace="menuentry 'PERSISTENT mode USER (For daily activities.)'" + +str_replace "$search" "$replace" "$file_replace" &>/dev/null || echo "$0: failed" + +search="menuentry '$GRUB_DISTRIBUTOR (recovery mode)'" +## example search: +replace="menuentry 'Recovery PERSISTENT mode SUPERADMIN (Be very cautious!)'" + +str_replace "$search" "$replace" "$file_replace" &>/dev/null || echo "$0: failed" + +exit 0