To complement the 0400 /proc/kallsyms patch, this makes the installed
System.map file mode 0600 so that security vulnerability exploitation
isn't as trivial. This, like kallsyms, does not stop a serious attacker,
since they can always just fetch the package and read the file.
I'm not aware of any non-root consumer of this file, so there should be
no impact. FWIW, my system boots fine with this change.
Signed-off-by: Kees Cook <kees.cook@canonical.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
$(pkgdir)/boot/config-$(abi_release)-$*
install -m644 $(abidir)/$* \
$(pkgdir)/boot/abi-$(abi_release)-$*
- install -m644 $(builddir)/build-$*/System.map \
+ install -m600 $(builddir)/build-$*/System.map \
$(pkgdir)/boot/System.map-$(abi_release)-$*
ifeq ($(no_dumpfile),)
makedumpfile -g $(pkgdir)/boot/vmcoreinfo-$(abi_release)-$* \