grub2: disable os-prober by default (security)

[vinceaperri]

Summary

Restore upstream GRUB's secure default in which os-prober is disabled by default. Automatic, silent execution of os-prober (and creating boot entries from its output) is a known attack vector, so it must not run unless an admin explicitly opts in.

Azure Linux's grub2 is sourced from Fedora dist-git and customized via azldev comp.toml overlays. Fedora ships two downstream reverts — Patch0002 and Patch0003 — that re-enable os-prober by default. This change re-disables it.

Approach

Rather than dropping the Fedora reverts (which shifts patch line numbers and breaks the context of later patches in the 382-patch series — exactly the failure that caused the previous attempt, #17375, to be reverted by f526821), this PR appends two trailing patches that are exact git reverts of the Fedora reverts:

Patch	Reverts	Effect
Patch0383	Fedora Patch0003 (Revert "templates: Disable the os-prober by default")	Restores secure docs + 30_os-prober gate
Patch0384	Fedora Patch0002 (Revert "templates: Properly disable the os-prober by default")	Restores GRUB_DISABLE_OS_PROBER="true" default in grub-mkconfig

Implemented as three overlays in base/comps/grub2/grub2.comp.toml (two file-add + one file-search-replace appending Patch0383/Patch0384 to the end of grub.patches). Because they apply last, all 382 prior patches keep their context and the build does not break.

Verification

Built locally with azldev component build -p grub2 --no-check (succeeds end-to-end). The resulting grub2-tools RPM was extracted and confirmed:

• grub2-mkconfig contains GRUB_DISABLE_OS_PROBER="true" (the security default)
• etc/grub.d/30_os-prober is gated on [ "x${GRUB_DISABLE_OS_PROBER}" = "xtrue" ] → exit 0

[github-actions]

Hello, and thank you for opening this pull request! 👋🏼 We appreciate the contribution.

We require pull request titles to follow the Conventional Commits specification and it looks like your proposed title needs to be adjusted.

Commits in this repo will typically be prefixed with fix:, feat:, docs:, chore:, refactor:, test:, or ci: to indicate the type of change being proposed. The linked specification has more details.

Details:

Unknown release type "grub2" found in pull request title "grub2: disable os-prober by default (security)".

Available types:
 - feat: A new feature
 - fix: A bug fix
 - docs: Documentation only changes
 - style: Changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc)
 - refactor: A code change that neither fixes a bug nor adds a feature
 - perf: A code change that improves performance
 - test: Adding missing tests or correcting existing tests
 - build: Changes that affect the build system or external dependencies (example scopes: gulp, broccoli, npm)
 - ci: Changes to our CI configuration files and scripts (example scopes: Travis, Circle, BrowserStack, SauceLabs)
 - chore: Other changes that don't modify src or test files
 - revert: Reverts a previous commit

[Copilot]

Pull request overview

This PR restores upstream GRUB’s secure default by ensuring os-prober is disabled by default in Azure Linux’s Fedora-sourced grub2, while avoiding patch-series renumbering by appending trailing “revert of Fedora revert” patches.

Changes:

• Adds two new trailing patches (Patch0383/Patch0384) that revert Fedora’s downstream reverts which re-enabled os-prober by default.
• Updates the grub2 component overlays to stage those patch files and append them to grub.patches.
• Updates the grub2 lock fingerprint to reflect the component input changes.

Reviewed changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated 3 comments.

File	Description
locks/grub2.lock	Updates lock input fingerprint for the modified component inputs.
base/comps/grub2/grub2.comp.toml	Adds overlays to stage two new patch files and append Patch0383/0384 to the end of grub.patches.
base/comps/grub2/0383-Revert-Revert-templates-Disable-the-os-prober-by-default.patch	New patch re-applying upstream “disable os-prober by default” behavior and related docs text.
base/comps/grub2/0384-Revert-Revert-templates-Properly-disable-the-os-prober-by-d.patch	New patch restoring GRUB_DISABLE_OS_PROBER="true" default and gating behavior in 30_os-prober.

[github-actions]

📄❌ Rendered specs are out of date

FIX: — run this and commit the result:

azldev component render grub2

Or download the fix patch and apply it:

gh run download 27640224466 -R microsoft/azurelinux -n rendered-specs-patch
git apply rendered-specs.patch

Category	Count
Content diffs	2
Extra files (untracked)	2
Missing files (deleted)	0

Content diffs

`specs/g/grub2/grub.patches`

--- committed/specs/g/grub2/grub.patches
+++ rendered/specs/g/grub2/grub.patches
@@ -378,4 +378,6 @@
 Patch0379: 0379-loader-efi-chainloader-Fix-double-free.patch
 Patch0380: 0380-loader-efi-chainloader-Fix-null-pointer-dereference.patch
 Patch0381: 0381-osdep-linux-getroot-Detect-DDF-container-similar-to-.patch
-Patch0382: 0382-Set-correctly-the-memory-attributes-for-the-kernel-P.patch+Patch0382: 0382-Set-correctly-the-memory-attributes-for-the-kernel-P.patch
+Patch0383: 0383-Revert-Revert-templates-Disable-the-os-prober-by-default.patch
+Patch0384: 0384-Revert-Revert-templates-Properly-disable-the-os-prober-by-d.patch

`specs/g/grub2/grub2.spec`

--- committed/specs/g/grub2/grub2.spec
+++ rendered/specs/g/grub2/grub2.spec
@@ -20,7 +20,7 @@
 Name:		grub2
 Epoch:		1
 Version:	2.12
-Release: 44%{?dist}
+Release: 45%{?dist}
 Summary:	Bootloader with support for Linux, Multiboot and more
 License:	GPL-3.0-or-later
 URL:		http://www.gnu.org/software/grub/

Files to add

These files are produced by azldev component render but are missing from your branch. Add them.

• specs/g/grub2/0383-Revert-Revert-templates-Disable-the-os-prober-by-default.patch
• specs/g/grub2/0384-Revert-Revert-templates-Properly-disable-the-os-prober-by-d.patch