From 65dce4045a75e4a8533b51ffb2d47e4dcd9114a1 Mon Sep 17 00:00:00 2001
From: Markos Chandras <mchandras@suse.de>
Date: Wed, 10 Jan 2018 16:08:57 +0000
Subject: [PATCH] tasks: auth: Pass --unrestricted to Linux Grub2 entries

The password protection aims to only prevent users from editing the
menu entries not from booting the system altogether. Fedora is patching
the 10_linux file to use '--unrestricted' so all users can boot the
system. As such, we apply a similar patch to the rest of the distros.

Change-Id: I1390a330ea1f0b48e71fdcb548614d5582fffbd4
Link: http://pkgs.fedoraproject.org/cgit/rpms/grub2.git/tree/0109-Don-t-require-a-password-to-boot-entries-generated-b.patch
Link: https://www.gnu.org/software/grub/manual/grub/html_node/Authentication-and-authorisation.html#Authentication-and-authorisation
Closes-Bug: 1735709
---
 tasks/rhel7stig/auth.yml | 29 +++++++++++++++++++----------
 vars/main.yml            |  2 ++
 2 files changed, 21 insertions(+), 10 deletions(-)

diff --git a/tasks/rhel7stig/auth.yml b/tasks/rhel7stig/auth.yml
index e048c650..4888b9cf 100644
--- a/tasks/rhel7stig/auth.yml
+++ b/tasks/rhel7stig/auth.yml
@@ -174,19 +174,28 @@
     - always
 
 - name: Set a GRUB 2 password for single-user/maintenance modes
-  blockinfile:
-    path: "{{ grub_custom_file }}"
-    insertbefore: EOF
-    marker: "# {mark} MANAGED BY ANSIBLE-HARDENING"
-    block: |
-      set superusers="root"
-      password_pbkdf2 root {{ security_grub_password_hash }}
-    state: present
+  block:
+    - blockinfile:
+        path: "{{ grub_custom_file }}"
+        insertbefore: EOF
+        marker: "# {mark} MANAGED BY ANSIBLE-HARDENING"
+        block: |
+          set superusers="root"
+          password_pbkdf2 root {{ security_grub_password_hash }}
+        state: present
+      notify:
+        - update grub config
+    - lineinfile:
+        path: "{{ grub_linux_file }}"
+        regexp: '^CLASS=.*'
+        line: 'CLASS="--class gnu-linux --class gnu --class os --unrestricted"'
+        state: present
+        backrefs: yes
+      notify:
+        - update grub config
   when:
     - grub_custom_file_check.stat.exists | bool
     - security_require_grub_authentication | bool
-  notify:
-    - update grub config
   tags:
     - auth
     - high
diff --git a/vars/main.yml b/vars/main.yml
index ae7ad8aa..1a0326f3 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -22,6 +22,8 @@
 
 ## grub custom configuration
 grub_custom_file: /etc/grub.d/40_custom
+## grub main linux configuration
+grub_linux_file: /etc/grub.d/10_linux
 
 ## auditd configuration
 auditd_config: