fix(grub2): disable os-prober by default#17741
Open
vinceaperri wants to merge 1 commit into
Open
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Restore upstream GRUB behavior around os-prober by re-disabling it by default (secure default) and re-applying an upstream doc/message typo fix, without disturbing Fedora’s existing 382-patch series ordering (by appending trailing “revert of revert” patches).
Changes:
- Add three trailing patch files (0383–0385) that revert Fedora’s downstream reverts of upstream
os-proberwork. - Update the
grub2component overlays to stage the new patch files and append Patch0383/Patch0384/Patch0385 entries togrub.patches. - Refresh
locks/grub2.lockinput fingerprint to reflect the component input changes.
Reviewed changes
Copilot reviewed 4 out of 5 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| locks/grub2.lock | Updates lock input fingerprint after component overlay changes. |
| base/comps/grub2/grub2.comp.toml | Adds overlays to stage new patch files and extend the grub.patches patch series. |
| base/comps/grub2/0383-Revert-Revert-templates-Disable-the-os-prober-by-default.patch | Re-applies upstream docs + 30_os-prober gating behavior as a trailing patch. |
| base/comps/grub2/0384-Revert-Revert-templates-Properly-disable-the-os-prober-by-d.patch | Restores GRUB_DISABLE_OS_PROBER="true" default and related logic as a trailing patch. |
| base/comps/grub2/0385-Revert-Revert-templates-Fix-user-facing-typo-with-an.patch | Restores the “Its output” warning message typo fix as a trailing patch. |
vinceaperri
force-pushed
the
user/vinceaperri/grub2-disable-os-prober-v2
branch
2 times, most recently
from
12ac6bd to
d314244
Compare
vinceaperri
changed the title
vinceaperri
force-pushed
the
user/vinceaperri/grub2-disable-os-prober-v2
branch
8 times, most recently
from
31729f7 to
5b2ae9c
Compare
Azure Linux's grub2 is sourced from Fedora dist-git and customized via
azldev comp.toml overlays. Fedora ships three downstream reverts
(Patch0001, Patch0002, Patch0003) that undo upstream GRUB's os-prober
work: they re-enable os-prober by default and re-introduce a user-facing
typo. Automatic, silent execution of os-prober (and creating boot
entries from its output) is a known attack vector, so restore upstream's
secure, correct behaviour.
Append three trailing patches to the grub.patches series, each an exact
git revert of the corresponding Fedora revert:
Patch0383 reverts Fedora Patch0003 -> os-prober disabled by default
(30_os-prober gated on "xtrue")
Patch0384 reverts Fedora Patch0002 -> restores
GRUB_DISABLE_OS_PROBER="true" in grub-mkconfig
Patch0385 reverts Fedora Patch0001 -> restores the correct possessive
"Its output" in the os-prober warning message
Appending at the end (rather than dropping the Fedora reverts) keeps the
context of all 382 prior patches intact, avoiding the apply failure that
caused the previous attempt (#17375) to be reverted by f526821.
grub2's patch series lives in the %include'd grub.patches file, so the
patches are staged with file-add overlays and their Patch0383/0384/0385
entries appended to grub.patches via file-search-replace.
vinceaperri
force-pushed
the
user/vinceaperri/grub2-disable-os-prober-v2
branch
from
5b2ae9c to
6156330
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Restore upstream GRUB's secure, correct os-prober behaviour. The two key changes:
os-prober(and creating boot entries from its output) is a known attack vector, so it must not run unless an admin explicitly opts in.It's output→Its output) in the os-prober warning message.Fedora ships three downstream reverts —
Patch0001,Patch0002, andPatch0003— that undo upstream's os-prober work (re-enabling it by default and re-introducing the typo). This change re-applies the upstream behaviour.Approach
Rather than dropping the Fedora reverts (which shifts patch line numbers and breaks the context of later patches in the 382-patch series — exactly the failure that caused the previous attempt, #17375, to be reverted by f526821), this PR appends three trailing patches that are exact
git reverts of the Fedora reverts:Patch0383Patch0003(Revert "templates: Disable the os-prober by default")30_os-probergate (xtrue)Patch0384Patch0002(Revert "templates: Properly disable the os-prober by default")GRUB_DISABLE_OS_PROBER="true"default ingrub-mkconfigPatch0385Patch0001(Revert "templates: Fix user-facing typo with an incorrect use of "it's"")Its outputin the os-prober warningImplemented as overlays in
base/comps/grub2/grub2.comp.toml(threefile-add+ onefile-search-replaceappendingPatch0383/Patch0384/Patch0385to the end ofgrub.patches). Because they apply last, all 382 prior patches keep their context and the build does not break.