From patchwork Wed Mar 23 20:17:13 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 88113 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from chlorine.canonical.com (chlorine.canonical.com [91.189.94.204]) by ozlabs.org (Postfix) with ESMTP id 75391B6F10 for ; Thu, 24 Mar 2011 07:17:31 +1100 (EST) Received: from localhost ([127.0.0.1] helo=chlorine.canonical.com) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1Q2UUX-0004Q6-7p; Wed, 23 Mar 2011 20:17:17 +0000 Received: from smtp.outflux.net ([198.145.64.163]) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1Q2UUV-0004Pb-2T for kernel-team@lists.ubuntu.com; Wed, 23 Mar 2011 20:17:15 +0000 Received: from www.outflux.net (serenity-end.outflux.net [10.2.0.2]) by vinyl.outflux.net (8.14.3/8.14.3/Debian-9.1ubuntu1) with ESMTP id p2NKHDRd005542 for ; Wed, 23 Mar 2011 13:17:14 -0700 Date: Wed, 23 Mar 2011 13:17:13 -0700 From: Kees Cook To: kernel-team@lists.ubuntu.com Subject: [PATCH natty] UBUNTU: [Config] packaging: adjust perms on vmlinuz as well Message-ID: <20110323201713.GD4695@outflux.net> MIME-Version: 1.0 Content-Disposition: inline Organization: Ubuntu X-MIMEDefang-Filter: outflux$Revision: 1.316 $ X-HELO: www.outflux.net X-Scanned-By: MIMEDefang 2.67 on 10.2.0.1 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.13 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: kernel-team-bounces@lists.ubuntu.com Errors-To: kernel-team-bounces@lists.ubuntu.com Since kernel symbols are resolvable internally to the kernel, the kernel itself has a map of the symbols. Continuing the tradition of frustrating off-the-shelf kernel exploits, make vmlinuz unreadable for non-root, just like has been done for System.map, etc. Signed-off-by: Kees Cook --- debian/rules.d/2-binary-arch.mk | 4 ++-- debian/scripts/sub-flavour | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/debian/rules.d/2-binary-arch.mk b/debian/rules.d/2-binary-arch.mk index c31ab14..9765ef7 100644 --- a/debian/rules.d/2-binary-arch.mk +++ b/debian/rules.d/2-binary-arch.mk @@ -54,13 +54,13 @@ install-%: $(stampdir)/stamp-build-% checks-% # compress_file logic required because not all architectures # generate a zImage automatically out of the box ifeq ($(compress_file),) - install -m644 -D $(builddir)/build-$*/$(kernel_file) \ + install -m600 -D $(builddir)/build-$*/$(kernel_file) \ $(pkgdir)/boot/$(install_file)-$(abi_release)-$* else install -d $(pkgdir)/boot gzip -c9v $(builddir)/build-$*/$(kernel_file) > \ $(pkgdir)/boot/$(install_file)-$(abi_release)-$* - chmod 644 $(pkgdir)/boot/$(install_file)-$(abi_release)-$* + chmod 600 $(pkgdir)/boot/$(install_file)-$(abi_release)-$* endif install -m644 $(builddir)/build-$*/.config \ diff --git a/debian/scripts/sub-flavour b/debian/scripts/sub-flavour index 45456bb..0100493 100644 --- a/debian/scripts/sub-flavour +++ b/debian/scripts/sub-flavour @@ -11,9 +11,9 @@ from_moddir="debian/$from_pkg/lib/modules/$ABI_RELEASE-$FROM" to_moddir="debian/$to_pkg/lib/modules/$ABI_RELEASE-$FROM" install -d "debian/$to_pkg/boot" -install -m644 debian/$from_pkg/boot/{vmlinuz,config}-$ABI_RELEASE-$FROM \ +install -m644 debian/$from_pkg/boot/config-$ABI_RELEASE-$FROM \ debian/$to_pkg/boot/ -install -m600 debian/$from_pkg/boot/System.map-$ABI_RELEASE-$FROM \ +install -m600 debian/$from_pkg/boot/{vmlinuz,System.map}-$ABI_RELEASE-$FROM \ debian/$to_pkg/boot/ #