mxgrub/mxgrub: Restrict editing and command line prompt

Remove `--unrestricted` from the Linux boot entries, as that allows to edit the entries. For submenus it allows to enter them, which is what we want. The documentation is unfortunately not very clear about that. [1]: https://www.gnu.org/software/grub/manual/grub/grub.html#Security
mariux64 · Nov 29, 2019 · 361e5f4 · 361e5f4
1 parent 5d425a9
commit 361e5f4
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/mxgrub/mxgrub b/mxgrub/mxgrub
@@ -249,7 +249,7 @@ sub update_grub_cfg {
 
 	for my $label (@MARIUX) {
 		my $image=label_to_image($label);
-		$kernellist.="\tmenuentry \"$label\" --unrestricted { save_env chosen ; linux /boot/$image root=LABEL=root $KERNEL_PARAMETER ; initrd /boot/grub/initramfs.igz }\n";
+		$kernellist.="\tmenuentry \"$label\" { save_env chosen ; linux /boot/$image root=LABEL=root $KERNEL_PARAMETER ; initrd /boot/grub/initramfs.igz }\n";
 	}
 
 	my $GRUB_CFG_NEW=<<"EOF";
@@ -266,10 +266,10 @@ insmod all_video
 
 if [ -e /etc/local/USB.usb ]; then
 	set default="mariuxUSB"
-	menuentry "mariuxUSB" --unrestricted { save_env chosen ; linux /boot/bzImage.x86_64 root=LABEL=rootusb $KERNEL_PARAMETER ; initrd /boot/grub/initramfs.igz }
+	menuentry "mariuxUSB" { save_env chosen ; linux /boot/bzImage.x86_64 root=LABEL=rootusb $KERNEL_PARAMETER ; initrd /boot/grub/initramfs.igz }
 else
 
-menuentry "$MARIUX_DEFAULT" --unrestricted { set chosen="$submenu>$MARIUX_DEFAULT" ; save_env chosen ; linux /boot/bzImage.x86_64 root=LABEL=root $KERNEL_PARAMETER ; initrd /boot/grub/initramfs.igz }
+menuentry "$MARIUX_DEFAULT" { set chosen="$submenu>$MARIUX_DEFAULT" ; save_env chosen ; linux /boot/bzImage.x86_64 root=LABEL=root $KERNEL_PARAMETER ; initrd /boot/grub/initramfs.igz }
 
 submenu "$submenu" --unrestricted {
 $kernellist