From 361e5f4c3cc3d576aacda4a6b8fab520c0cf0911 Mon Sep 17 00:00:00 2001
From: Paul Menzel <pmenzel@molgen.mpg.de>
Date: Fri, 29 Nov 2019 13:43:22 +0100
Subject: [PATCH] mxgrub/mxgrub: Restrict editing and command line prompt

Remove `--unrestricted` from the Linux boot entries, as that allows to
edit the entries. For submenus it allows to enter them, which is what we
want. The documentation is unfortunately not very clear about that.

[1]: https://www.gnu.org/software/grub/manual/grub/grub.html#Security
---
 mxgrub/mxgrub | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/mxgrub/mxgrub b/mxgrub/mxgrub
index 48d579e9..5eda0b5c 100755
--- a/mxgrub/mxgrub
+++ b/mxgrub/mxgrub
@@ -249,7 +249,7 @@ sub update_grub_cfg {
 
 	for my $label (@MARIUX) {
 		my $image=label_to_image($label);
-		$kernellist.="\tmenuentry \"$label\" --unrestricted { save_env chosen ; linux /boot/$image root=LABEL=root $KERNEL_PARAMETER ; initrd /boot/grub/initramfs.igz }\n";
+		$kernellist.="\tmenuentry \"$label\" { save_env chosen ; linux /boot/$image root=LABEL=root $KERNEL_PARAMETER ; initrd /boot/grub/initramfs.igz }\n";
 	}
 
 	my $GRUB_CFG_NEW=<<"EOF";
@@ -266,10 +266,10 @@ insmod all_video
 
 if [ -e /etc/local/USB.usb ]; then
 	set default="mariuxUSB"
-	menuentry "mariuxUSB" --unrestricted { save_env chosen ; linux /boot/bzImage.x86_64 root=LABEL=rootusb $KERNEL_PARAMETER ; initrd /boot/grub/initramfs.igz }
+	menuentry "mariuxUSB" { save_env chosen ; linux /boot/bzImage.x86_64 root=LABEL=rootusb $KERNEL_PARAMETER ; initrd /boot/grub/initramfs.igz }
 else
 
-menuentry "$MARIUX_DEFAULT" --unrestricted { set chosen="$submenu>$MARIUX_DEFAULT" ; save_env chosen ; linux /boot/bzImage.x86_64 root=LABEL=root $KERNEL_PARAMETER ; initrd /boot/grub/initramfs.igz }
+menuentry "$MARIUX_DEFAULT" { set chosen="$submenu>$MARIUX_DEFAULT" ; save_env chosen ; linux /boot/bzImage.x86_64 root=LABEL=root $KERNEL_PARAMETER ; initrd /boot/grub/initramfs.igz }
 
 submenu "$submenu" --unrestricted {
 $kernellist