| Message ID | 20110323201713.GD4695@outflux.net |
|---|---|
| State | New |
| Headers | show |
On 03/23/2011 02:17 PM, Kees Cook wrote: > Since kernel symbols are resolvable internally to the kernel, the kernel > itself has a map of the symbols. Continuing the tradition of frustrating > off-the-shelf kernel exploits, make vmlinuz unreadable for non-root, just > like has been done for System.map, etc. > > Signed-off-by: Kees Cook<kees.cook@canonical.com> > --- > debian/rules.d/2-binary-arch.mk | 4 ++-- > debian/scripts/sub-flavour | 4 ++-- > 2 files changed, 4 insertions(+), 4 deletions(-) > > diff --git a/debian/rules.d/2-binary-arch.mk b/debian/rules.d/2-binary-arch.mk > index c31ab14..9765ef7 100644 > --- a/debian/rules.d/2-binary-arch.mk > +++ b/debian/rules.d/2-binary-arch.mk > @@ -54,13 +54,13 @@ install-%: $(stampdir)/stamp-build-% checks-% > # compress_file logic required because not all architectures > # generate a zImage automatically out of the box > ifeq ($(compress_file),) > - install -m644 -D $(builddir)/build-$*/$(kernel_file) \ > + install -m600 -D $(builddir)/build-$*/$(kernel_file) \ > $(pkgdir)/boot/$(install_file)-$(abi_release)-$* > else > install -d $(pkgdir)/boot > gzip -c9v $(builddir)/build-$*/$(kernel_file)> \ > $(pkgdir)/boot/$(install_file)-$(abi_release)-$* > - chmod 644 $(pkgdir)/boot/$(install_file)-$(abi_release)-$* > + chmod 600 $(pkgdir)/boot/$(install_file)-$(abi_release)-$* > endif > > install -m644 $(builddir)/build-$*/.config \ > diff --git a/debian/scripts/sub-flavour b/debian/scripts/sub-flavour > index 45456bb..0100493 100644 > --- a/debian/scripts/sub-flavour > +++ b/debian/scripts/sub-flavour > @@ -11,9 +11,9 @@ from_moddir="debian/$from_pkg/lib/modules/$ABI_RELEASE-$FROM" > to_moddir="debian/$to_pkg/lib/modules/$ABI_RELEASE-$FROM" > > install -d "debian/$to_pkg/boot" > -install -m644 debian/$from_pkg/boot/{vmlinuz,config}-$ABI_RELEASE-$FROM \ > +install -m644 debian/$from_pkg/boot/config-$ABI_RELEASE-$FROM \ > debian/$to_pkg/boot/ > -install -m600 debian/$from_pkg/boot/System.map-$ABI_RELEASE-$FROM \ > +install -m600 debian/$from_pkg/boot/{vmlinuz,System.map}-$ABI_RELEASE-$FROM \ > debian/$to_pkg/boot/ > > # applied
diff --git a/debian/rules.d/2-binary-arch.mk b/debian/rules.d/2-binary-arch.mk index c31ab14..9765ef7 100644 --- a/debian/rules.d/2-binary-arch.mk +++ b/debian/rules.d/2-binary-arch.mk @@ -54,13 +54,13 @@ install-%: $(stampdir)/stamp-build-% checks-% # compress_file logic required because not all architectures # generate a zImage automatically out of the box ifeq ($(compress_file),) - install -m644 -D $(builddir)/build-$*/$(kernel_file) \ + install -m600 -D $(builddir)/build-$*/$(kernel_file) \ $(pkgdir)/boot/$(install_file)-$(abi_release)-$* else install -d $(pkgdir)/boot gzip -c9v $(builddir)/build-$*/$(kernel_file) > \ $(pkgdir)/boot/$(install_file)-$(abi_release)-$* - chmod 644 $(pkgdir)/boot/$(install_file)-$(abi_release)-$* + chmod 600 $(pkgdir)/boot/$(install_file)-$(abi_release)-$* endif install -m644 $(builddir)/build-$*/.config \ diff --git a/debian/scripts/sub-flavour b/debian/scripts/sub-flavour index 45456bb..0100493 100644 --- a/debian/scripts/sub-flavour +++ b/debian/scripts/sub-flavour @@ -11,9 +11,9 @@ from_moddir="debian/$from_pkg/lib/modules/$ABI_RELEASE-$FROM" to_moddir="debian/$to_pkg/lib/modules/$ABI_RELEASE-$FROM" install -d "debian/$to_pkg/boot" -install -m644 debian/$from_pkg/boot/{vmlinuz,config}-$ABI_RELEASE-$FROM \ +install -m644 debian/$from_pkg/boot/config-$ABI_RELEASE-$FROM \ debian/$to_pkg/boot/ -install -m600 debian/$from_pkg/boot/System.map-$ABI_RELEASE-$FROM \ +install -m600 debian/$from_pkg/boot/{vmlinuz,System.map}-$ABI_RELEASE-$FROM \ debian/$to_pkg/boot/ #
Since kernel symbols are resolvable internally to the kernel, the kernel itself has a map of the symbols. Continuing the tradition of frustrating off-the-shelf kernel exploits, make vmlinuz unreadable for non-root, just like has been done for System.map, etc. Signed-off-by: Kees Cook <kees.cook@canonical.com> --- debian/rules.d/2-binary-arch.mk | 4 ++-- debian/scripts/sub-flavour | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-)