diff options
| author | Kees Cook <kees@ubuntu.com> | 2011-03-23 16:17:13 -0400 |
|---|---|---|
| committer | Leann Ogasawara <leann.ogasawara@canonical.com> | 2011-08-30 13:15:38 -0400 |
| commit | 3d96492308bc7838f66ae3ca21c0e3f9707993f8 (patch) | |
| tree | 67a79ed99044fd5e80b971f306aab0fa2dd19614 /debian | |
| parent | d3e2d3aa270d5ed073de5eb9ed8a8c2681a83254 (diff) | |
UBUNTU: [Config] packaging: adjust perms on vmlinuz as well
Since kernel symbols are resolvable internally to the kernel, the kernel
itself has a map of the symbols. Continuing the tradition of frustrating
off-the-shelf kernel exploits, make vmlinuz unreadable for non-root, just
like has been done for System.map, etc.
Signed-off-by: Kees Cook <kees.cook@canonical.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com>
Diffstat (limited to 'debian')
| -rw-r--r-- | debian/rules.d/2-binary-arch.mk | 4 | ||||
| -rw-r--r-- | debian/scripts/sub-flavour | 4 |
2 files changed, 4 insertions, 4 deletions
diff --git a/debian/rules.d/2-binary-arch.mk b/debian/rules.d/2-binary-arch.mk index c31ab14ebb6..9765ef740e9 100644 --- a/debian/rules.d/2-binary-arch.mk +++ b/debian/rules.d/2-binary-arch.mk | |||
| @@ -54,13 +54,13 @@ install-%: $(stampdir)/stamp-build-% checks-% | |||
| 54 | # compress_file logic required because not all architectures | 54 | # compress_file logic required because not all architectures |
| 55 | # generate a zImage automatically out of the box | 55 | # generate a zImage automatically out of the box |
| 56 | ifeq ($(compress_file),) | 56 | ifeq ($(compress_file),) |
| 57 | install -m644 -D $(builddir)/build-$*/$(kernel_file) \ | 57 | install -m600 -D $(builddir)/build-$*/$(kernel_file) \ |
| 58 | $(pkgdir)/boot/$(install_file)-$(abi_release)-$* | 58 | $(pkgdir)/boot/$(install_file)-$(abi_release)-$* |
| 59 | else | 59 | else |
| 60 | install -d $(pkgdir)/boot | 60 | install -d $(pkgdir)/boot |
| 61 | gzip -c9v $(builddir)/build-$*/$(kernel_file) > \ | 61 | gzip -c9v $(builddir)/build-$*/$(kernel_file) > \ |
| 62 | $(pkgdir)/boot/$(install_file)-$(abi_release)-$* | 62 | $(pkgdir)/boot/$(install_file)-$(abi_release)-$* |
| 63 | chmod 644 $(pkgdir)/boot/$(install_file)-$(abi_release)-$* | 63 | chmod 600 $(pkgdir)/boot/$(install_file)-$(abi_release)-$* |
| 64 | endif | 64 | endif |
| 65 | 65 | ||
| 66 | install -m644 $(builddir)/build-$*/.config \ | 66 | install -m644 $(builddir)/build-$*/.config \ |
diff --git a/debian/scripts/sub-flavour b/debian/scripts/sub-flavour index 45456bba924..01004939617 100644 --- a/debian/scripts/sub-flavour +++ b/debian/scripts/sub-flavour | |||
| @@ -11,9 +11,9 @@ from_moddir="debian/$from_pkg/lib/modules/$ABI_RELEASE-$FROM" | |||
| 11 | to_moddir="debian/$to_pkg/lib/modules/$ABI_RELEASE-$FROM" | 11 | to_moddir="debian/$to_pkg/lib/modules/$ABI_RELEASE-$FROM" |
| 12 | 12 | ||
| 13 | install -d "debian/$to_pkg/boot" | 13 | install -d "debian/$to_pkg/boot" |
| 14 | install -m644 debian/$from_pkg/boot/{vmlinuz,config}-$ABI_RELEASE-$FROM \ | 14 | install -m644 debian/$from_pkg/boot/config-$ABI_RELEASE-$FROM \ |
| 15 | debian/$to_pkg/boot/ | 15 | debian/$to_pkg/boot/ |
| 16 | install -m600 debian/$from_pkg/boot/System.map-$ABI_RELEASE-$FROM \ | 16 | install -m600 debian/$from_pkg/boot/{vmlinuz,System.map}-$ABI_RELEASE-$FROM \ |
| 17 | debian/$to_pkg/boot/ | 17 | debian/$to_pkg/boot/ |
| 18 | 18 | ||
| 19 | # | 19 | # |