Commit ba1d39f1 authored by Lorenzo "Palinuro" Faletra's avatar Lorenzo "Palinuro" Faletra
Browse files

Import Debian changes 2.04-8parrot1

grub2 (2.04-8parrot1) rolling; urgency=medium

  * Import new Debian release.
  * igrate Parrot patches.

grub2 (2.04-8) unstable; urgency=medium

  [ Vincent Lefevre ]
  * Fix typos in /etc/grub.d/05_debian_theme. Closes: #959484

  [ Fabian Greffrath ]
  * Change font dependency to fonts-dejavu-core. Closes: #912846

  [ Colin Watson ]
  * Cherry-pick from upstream:
    - templates/20_linux_xen: Ignore xenpolicy and config files too.
    - templates/20_linux_xen: Support Xen Security Modules (XSM/FLASK).

  [ Ian Jackson ]
  * 20_linux_xen: Do not load XSM policy in non-XSM options (closes:
    #961673).
parent 8486af70
Pipeline #574 failed with stages
in 11 minutes and 18 seconds
# see git-dpm(1) from git-dpm package
71e87f5ac2ffac3705655aecc22f3f872fb603d6
71e87f5ac2ffac3705655aecc22f3f872fb603d6
3017210d8539946c516003270cba7f3de569f2b3
3017210d8539946c516003270cba7f3de569f2b3
578bb115fbd47e1c464696f1f8d6183e5443975d
578bb115fbd47e1c464696f1f8d6183e5443975d
grub2_2.04.orig.tar.xz
......
grub2 (2.04-8parrot1) rolling; urgency=medium
* Import new Debian release.
* igrate Parrot patches.
-- Lorenzo "Palinuro" Faletra <palinuro@parrotsec.org> Sat, 27 Jun 2020 12:19:33 +0200
grub2 (2.04-8) unstable; urgency=medium
[ Vincent Lefevre ]
* Fix typos in /etc/grub.d/05_debian_theme. Closes: #959484
[ Fabian Greffrath ]
* Change font dependency to fonts-dejavu-core. Closes: #912846
[ Colin Watson ]
* Cherry-pick from upstream:
- templates/20_linux_xen: Ignore xenpolicy and config files too.
- templates/20_linux_xen: Support Xen Security Modules (XSM/FLASK).
[ Ian Jackson ]
* 20_linux_xen: Do not load XSM policy in non-XSM options (closes:
#961673).
-- Colin Watson <cjwatson@debian.org> Sun, 07 Jun 2020 10:06:37 +0100
grub2 (2.04-7parrot1) rolling; urgency=medium
* Import new Debian release.
......
......@@ -24,7 +24,7 @@ Build-Depends: debhelper-compat (= 10),
cpio [i386 kopensolaris-i386 amd64 x32],
parted [!hurd-any],
libfuse-dev (>= 2.8.4-1.4) [linux-any kfreebsd-any],
ttf-dejavu-core,
fonts-dejavu-core,
liblzma-dev,
dosfstools [any-i386 any-amd64 any-arm64],
mtools [any-i386 any-amd64 any-arm64],
......
......@@ -37,7 +37,7 @@ set_default_theme(){
if [ -e /usr/share/plymouth/themes/default.grub ]; then
sed "s/^/${1}/" /usr/share/plymouth/themes/default.grub
fi
# For plymouth backward compatiblity. Can be removed
# For plymouth backward compatibility. Can be removed
# after xenial.
if [ -e /lib/plymouth/themes/default.grub ]; then
sed "s/^/${1}/" /lib/plymouth/themes/default.grub
......@@ -95,7 +95,7 @@ set_background_image(){
fi
# Step #5: Check if GRUB can read the background image directly.
# If so, we can remove the cache file (if any). Otherwise the backgound
# If so, we can remove the cache file (if any). Otherwise the background
# image needs to be cached under /boot/grub/.
if is_path_readable_by_grub "${1}"; then
rm --force "${BACKGROUND_CACHE}.jpeg" \
......
From c9434fab26adda59da5d80997ae337e9211a4a39 Mon Sep 17 00:00:00 2001
From: Fabian Greffrath <fabian@greffrath.com>
Date: Tue, 19 May 2020 12:19:26 +0200
Subject: add /u/s/fonts/truetype/dejavu to the DejaVu fonts search paths
Patch-Name: dejavu-font-path.patch
---
configure.ac | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index 883245553..851f61546 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1661,7 +1661,7 @@ fi
if test x"$starfield_excuse" = x; then
for ext in pcf pcf.gz bdf bdf.gz ttf ttf.gz; do
- for dir in . /usr/src /usr/share/fonts/X11/misc /usr/share/fonts/truetype/ttf-dejavu /usr/share/fonts/dejavu /usr/share/fonts/truetype; do
+ for dir in . /usr/src /usr/share/fonts/X11/misc /usr/share/fonts/truetype/dejavu /usr/share/fonts/truetype/ttf-dejavu /usr/share/fonts/dejavu /usr/share/fonts/truetype; do
if test -f "$dir/DejaVuSans.$ext"; then
DJVU_FONT_SOURCE="$dir/DejaVuSans.$ext"
break 2
......@@ -59,4 +59,8 @@ grub-install-removable-shim.patch
sparc64-fix-bios-boot-partition-support.patch
verifiers-blocklist-fallout.patch
btrfs-raid1c34.patch
dejavu-font-path.patch
xen-ignore-xenpolicy-and-config.patch
xen-support-xsm.patch
xen-no-xsm-policy-in-non-xsm-options.patch
add-failsafe-boot-options.patch
From 300b43f3513e4067abfcb73de191a2cfa75f9957 Mon Sep 17 00:00:00 2001
From: Ian Jackson <ian.jackson@eu.citrix.com>
Date: Wed, 20 May 2020 13:14:19 +0100
Subject: templates/20_linux_xen: Ignore xenpolicy and config files too
file_is_not_sym() currently only checks for xen-syms. Extend it to
disregard xenpolicy (XSM policy files) and files ending .config (which
are built by the Xen upstream build system in some configurations and
can therefore end up in /boot).
Rename the function accordingly, to file_is_not_xen_garbage().
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Origin: upstream, https://git.savannah.gnu.org/cgit/grub.git/commit/?id=7a9b30143bb9f6fc19b4e1cf8d4d184a49c3c36e
Last-Update: 2020-05-27
Patch-Name: xen-ignore-xenpolicy-and-config.patch
---
util/grub.d/20_linux_xen.in | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/util/grub.d/20_linux_xen.in b/util/grub.d/20_linux_xen.in
index 81e5f0d7e..30da49d66 100644
--- a/util/grub.d/20_linux_xen.in
+++ b/util/grub.d/20_linux_xen.in
@@ -181,10 +181,14 @@ if [ "x${linux_list}" = "x" ] ; then
exit 0
fi
-file_is_not_sym () {
+file_is_not_xen_garbage () {
case "$1" in
*/xen-syms-*)
return 1;;
+ */xenpolicy-*)
+ return 1;;
+ */*.config)
+ return 1;;
*)
return 0;;
esac
@@ -192,7 +196,7 @@ file_is_not_sym () {
xen_list=
for i in /boot/xen*; do
- if grub_file_is_not_garbage "$i" && file_is_not_sym "$i" ; then xen_list="$xen_list $i" ; fi
+ if grub_file_is_not_garbage "$i" && file_is_not_xen_garbage "$i" ; then xen_list="$xen_list $i" ; fi
done
prepare_boot_cache=
boot_device_id=
From 3017210d8539946c516003270cba7f3de569f2b3 Mon Sep 17 00:00:00 2001
From: Ian Jackson <ian.jackson@eu.citrix.com>
Date: Wed, 27 May 2020 17:00:45 +0100
Subject: 20_linux_xen: Do not load XSM policy in non-XSM options
For complicated reasons, even if you have XSM/FLASK disabled (as is
the default) the Xen build system still builds a policy file and puts
it in /boot.
Even so, we shouldn't be loading this in the usual non-"XSM enabled"
entries. It doesn't do any particular harm but it is quite confusing.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Bug-Debian: https://bugs.debian.org/961673
Last-Update: 2020-05-29
Patch-Name: xen-no-xsm-policy-in-non-xsm-options.patch
---
util/grub.d/20_linux_xen.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/util/grub.d/20_linux_xen.in b/util/grub.d/20_linux_xen.in
index 7a092b898..cbad5f95a 100644
--- a/util/grub.d/20_linux_xen.in
+++ b/util/grub.d/20_linux_xen.in
@@ -173,7 +173,7 @@ EOF
${module_loader} --nounzip $(echo $initrd_path)
EOF
fi
- if test -n "${xenpolicy}" ; then
+ if ${xsm} && test -n "${xenpolicy}" ; then
message="$(gettext_printf "Loading XSM policy ...")"
sed "s/^/$submenu_indentation/" << EOF
echo '$(echo "$message" | grub_quote)'
From 5bb5538be2e2a7325555a7156797f59b5be1f7f6 Mon Sep 17 00:00:00 2001
From: Ian Jackson <ian.jackson@eu.citrix.com>
Date: Wed, 20 May 2020 13:14:20 +0100
Subject: templates/20_linux_xen: Support Xen Security Modules (XSM/FLASK)
XSM is enabled by adding "flask=enforcing" as a Xen command line
argument, and providing the policy file as a grub module.
We make entries for both with and without XSM. If XSM is not compiled
into Xen, then there are no policy files, so no change to the boot
options.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Origin: upstream, https://git.savannah.gnu.org/cgit/grub.git/commit/?id=a81401ff493958e626e84f802f44434978fa4d4d
Last-Update: 2020-05-27
Patch-Name: xen-support-xsm.patch
---
util/grub.d/20_linux_xen.in | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/util/grub.d/20_linux_xen.in b/util/grub.d/20_linux_xen.in
index 30da49d66..7a092b898 100644
--- a/util/grub.d/20_linux_xen.in
+++ b/util/grub.d/20_linux_xen.in
@@ -94,6 +94,11 @@ esac
title_correction_code=
linux_entry ()
+{
+ linux_entry_xsm "$@" false
+ linux_entry_xsm "$@" true
+}
+linux_entry_xsm ()
{
os="$1"
version="$2"
@@ -101,6 +106,18 @@ linux_entry ()
type="$4"
args="$5"
xen_args="$6"
+ xsm="$7"
+ # If user wants to enable XSM support, make sure there's
+ # corresponding policy file.
+ if ${xsm} ; then
+ xenpolicy="xenpolicy-$xen_version"
+ if test ! -e "${xen_dirname}/${xenpolicy}" ; then
+ return
+ fi
+ xen_args="$xen_args flask=enforcing"
+ xen_version="$(gettext_printf "%s (XSM enabled)" "$xen_version")"
+ # xen_version is used for messages only; actual file is xen_basename
+ fi
if [ -z "$boot_device_id" ]; then
boot_device_id="$(grub_get_device_id "${GRUB_DEVICE}")"
fi
@@ -154,6 +171,13 @@ EOF
sed "s/^/$submenu_indentation/" << EOF
echo '$(echo "$message" | grub_quote)'
${module_loader} --nounzip $(echo $initrd_path)
+EOF
+ fi
+ if test -n "${xenpolicy}" ; then
+ message="$(gettext_printf "Loading XSM policy ...")"
+ sed "s/^/$submenu_indentation/" << EOF
+ echo '$(echo "$message" | grub_quote)'
+ ${module_loader} ${rel_dirname}/${xenpolicy}
EOF
fi
sed "s/^/$submenu_indentation/" << EOF
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment