Since kernel symbols are resolvable internally to the kernel, the kernel
itself has a map of the symbols. Continuing the tradition of frustrating
off-the-shelf kernel exploits, make vmlinuz unreadable for non-root, just
like has been done for System.map, etc.
Signed-off-by: Kees Cook <kees.cook@canonical.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
# compress_file logic required because not all architectures
# generate a zImage automatically out of the box
ifeq ($(compress_file),)
- install -m644 -D $(builddir)/build-$*/$(kernel_file) \
+ install -m600 -D $(builddir)/build-$*/$(kernel_file) \
$(pkgdir)/boot/$(install_file)-$(abi_release)-$*
else
install -d $(pkgdir)/boot
gzip -c9v $(builddir)/build-$*/$(kernel_file) > \
$(pkgdir)/boot/$(install_file)-$(abi_release)-$*
- chmod 644 $(pkgdir)/boot/$(install_file)-$(abi_release)-$*
+ chmod 600 $(pkgdir)/boot/$(install_file)-$(abi_release)-$*
endif
install -m644 $(builddir)/build-$*/.config \
to_moddir="debian/$to_pkg/lib/modules/$ABI_RELEASE-$FROM"
install -d "debian/$to_pkg/boot"
-install -m644 debian/$from_pkg/boot/{vmlinuz,config}-$ABI_RELEASE-$FROM \
+install -m644 debian/$from_pkg/boot/config-$ABI_RELEASE-$FROM \
debian/$to_pkg/boot/
-install -m600 debian/$from_pkg/boot/System.map-$ABI_RELEASE-$FROM \
+install -m600 debian/$from_pkg/boot/{vmlinuz,System.map}-$ABI_RELEASE-$FROM \
debian/$to_pkg/boot/
#