| Message ID | 20110131214313.GG4557@outflux.net |
|---|---|
| State | Accepted |
| Delegated to: | Tim Gardner |
| Headers | show |
On 01/31/2011 01:43 PM, Kees Cook wrote: > 799f11e9c88770eb1017a297c1a456013a80f324 tried to make System.map mode > 0600. It turns out that dh_fixperms undoes that change. This patch fixes > this up, corrects perms for sub-flavors, and adds vmcoreinfo to the mode > 0600 list. > > Signed-off-by: Kees Cook<kees.cook@canonical.com> > --- > debian/rules.d/2-binary-arch.mk | 6 ++++-- > debian/scripts/sub-flavour | 4 +++- > 2 files changed, 7 insertions(+), 3 deletions(-) > > diff --git a/debian/rules.d/2-binary-arch.mk b/debian/rules.d/2-binary-arch.mk > index c289d11..c31ab14 100644 > --- a/debian/rules.d/2-binary-arch.mk > +++ b/debian/rules.d/2-binary-arch.mk > @@ -72,6 +72,7 @@ endif > ifeq ($(no_dumpfile),) > makedumpfile -g $(pkgdir)/boot/vmcoreinfo-$(abi_release)-$* \ > -x $(builddir)/build-$*/vmlinux > + chmod 0600 $(pkgdir)/boot/vmcoreinfo-$(abi_release)-$* > endif > > $(build_cd) $(kmake) $(build_O) modules_install \ > @@ -92,6 +93,7 @@ endif > ifeq ($(no_dumpfile),) > makedumpfile -g $(pkgdir)/boot/vmcoreinfo-$(abi_release)-$* \ > -x $(builddir)/build-$*/vmlinux > + chmod 0600 $(pkgdir)/boot/vmcoreinfo-$(abi_release)-$* > endif > rm -f $(pkgdir)/lib/modules/$(abi_release)-$*/build > rm -f $(pkgdir)/lib/modules/$(abi_release)-$*/source > @@ -275,7 +277,7 @@ binary-%: install-% > dh_installchangelogs -p$(pkgimg) > dh_installdocs -p$(pkgimg) > dh_compress -p$(pkgimg) > - dh_fixperms -p$(pkgimg) > + dh_fixperms -p$(pkgimg) -X/boot/ > dh_installdeb -p$(pkgimg) > dh_shlibdeps -p$(pkgimg) > dh_gencontrol -p$(pkgimg) > @@ -298,7 +300,7 @@ ifneq ($(skipsub),true) > dh_installchangelogs -p$$pkg; \ > dh_installdocs -p$$pkg; \ > dh_compress -p$$pkg; \ > - dh_fixperms -p$$pkg; \ > + dh_fixperms -p$$pkg -X/boot/; \ > dh_shlibdeps -p$$pkg; \ > dh_installdeb -p$$pkg; \ > dh_gencontrol -p$$pkg; \ > diff --git a/debian/scripts/sub-flavour b/debian/scripts/sub-flavour > index c0093a6..45456bb 100644 > --- a/debian/scripts/sub-flavour > +++ b/debian/scripts/sub-flavour > @@ -11,7 +11,9 @@ from_moddir="debian/$from_pkg/lib/modules/$ABI_RELEASE-$FROM" > to_moddir="debian/$to_pkg/lib/modules/$ABI_RELEASE-$FROM" > > install -d "debian/$to_pkg/boot" > -install -m644 debian/$from_pkg/boot/{vmlinuz,System.map,config}-$ABI_RELEASE-$FROM \ > +install -m644 debian/$from_pkg/boot/{vmlinuz,config}-$ABI_RELEASE-$FROM \ > + debian/$to_pkg/boot/ > +install -m600 debian/$from_pkg/boot/System.map-$ABI_RELEASE-$FROM \ > debian/$to_pkg/boot/ > > # Are you only targeting this towards natty? Brad
applied and pushed to natty
diff --git a/debian/rules.d/2-binary-arch.mk b/debian/rules.d/2-binary-arch.mk index c289d11..c31ab14 100644 --- a/debian/rules.d/2-binary-arch.mk +++ b/debian/rules.d/2-binary-arch.mk @@ -72,6 +72,7 @@ endif ifeq ($(no_dumpfile),) makedumpfile -g $(pkgdir)/boot/vmcoreinfo-$(abi_release)-$* \ -x $(builddir)/build-$*/vmlinux + chmod 0600 $(pkgdir)/boot/vmcoreinfo-$(abi_release)-$* endif $(build_cd) $(kmake) $(build_O) modules_install \ @@ -92,6 +93,7 @@ endif ifeq ($(no_dumpfile),) makedumpfile -g $(pkgdir)/boot/vmcoreinfo-$(abi_release)-$* \ -x $(builddir)/build-$*/vmlinux + chmod 0600 $(pkgdir)/boot/vmcoreinfo-$(abi_release)-$* endif rm -f $(pkgdir)/lib/modules/$(abi_release)-$*/build rm -f $(pkgdir)/lib/modules/$(abi_release)-$*/source @@ -275,7 +277,7 @@ binary-%: install-% dh_installchangelogs -p$(pkgimg) dh_installdocs -p$(pkgimg) dh_compress -p$(pkgimg) - dh_fixperms -p$(pkgimg) + dh_fixperms -p$(pkgimg) -X/boot/ dh_installdeb -p$(pkgimg) dh_shlibdeps -p$(pkgimg) dh_gencontrol -p$(pkgimg) @@ -298,7 +300,7 @@ ifneq ($(skipsub),true) dh_installchangelogs -p$$pkg; \ dh_installdocs -p$$pkg; \ dh_compress -p$$pkg; \ - dh_fixperms -p$$pkg; \ + dh_fixperms -p$$pkg -X/boot/; \ dh_shlibdeps -p$$pkg; \ dh_installdeb -p$$pkg; \ dh_gencontrol -p$$pkg; \ diff --git a/debian/scripts/sub-flavour b/debian/scripts/sub-flavour index c0093a6..45456bb 100644 --- a/debian/scripts/sub-flavour +++ b/debian/scripts/sub-flavour @@ -11,7 +11,9 @@ from_moddir="debian/$from_pkg/lib/modules/$ABI_RELEASE-$FROM" to_moddir="debian/$to_pkg/lib/modules/$ABI_RELEASE-$FROM" install -d "debian/$to_pkg/boot" -install -m644 debian/$from_pkg/boot/{vmlinuz,System.map,config}-$ABI_RELEASE-$FROM \ +install -m644 debian/$from_pkg/boot/{vmlinuz,config}-$ABI_RELEASE-$FROM \ + debian/$to_pkg/boot/ +install -m600 debian/$from_pkg/boot/System.map-$ABI_RELEASE-$FROM \ debian/$to_pkg/boot/ #
799f11e9c88770eb1017a297c1a456013a80f324 tried to make System.map mode 0600. It turns out that dh_fixperms undoes that change. This patch fixes this up, corrects perms for sub-flavors, and adds vmcoreinfo to the mode 0600 list. Signed-off-by: Kees Cook <kees.cook@canonical.com> --- debian/rules.d/2-binary-arch.mk | 6 ++++-- debian/scripts/sub-flavour | 4 +++- 2 files changed, 7 insertions(+), 3 deletions(-)