From 4288e10554f854d6dd9be092ddbf6a62686b1549 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 13:25:31 -0400 Subject: [PATCH] fix, rework remount-secure kernel parameters parsing --- etc/default/grub.d/40_remmount-secure.cfg | 2 +- .../modules.d/20remount-secure/remount-secure.sh | 10 ++++++---- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/etc/default/grub.d/40_remmount-secure.cfg b/etc/default/grub.d/40_remmount-secure.cfg index 29d8718..b012d6d 100644 --- a/etc/default/grub.d/40_remmount-secure.cfg +++ b/etc/default/grub.d/40_remmount-secure.cfg @@ -7,4 +7,4 @@ #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=1" ## Re-mount with nodev, nosuid, noexec. -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountnoexec=1" +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=noexec" diff --git a/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh b/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh index 57fbf9c..396ce92 100755 --- a/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh +++ b/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh @@ -7,10 +7,12 @@ ## options based on kernel command line parameters. remount_hook() { - local remount_action - remount_action=$(getarg remountsecure) + local remountsecure_action + ## getarg returns the last parameter only. + ## if /proc/cmdline contains 'remountsecure=0 remountsecure=1 remountsecure=noexec' the last one wins. + remountsecure_action=$(getarg remountsecure) - if getargbool 1 remountnoexec; then + if [ "$remountsecure_action" = "1" ]; then if ! remount-secure --remountnoexec ; then warn "'remount-secure --remountnoexec' failed." return 1 @@ -19,7 +21,7 @@ remount_hook() { return 0 fi - if getargbool 1 remountsecure; then + if [ "$remountsecure_action" = "noexec" ]; then if ! remount-secure ; then warn "'remount-secure' failed." return 1