From fa40db7b96f18329fc8b4a56a9295ffd92b139d5 Mon Sep 17 00:00:00 2001 From: xumia <59720581+xumia@users.noreply.github.com> Date: Thu, 7 Sep 2023 13:42:02 +0800 Subject: [PATCH] Change the system.map file permission only readable by root (#329) This is to meet a security requirement for SONiC to not have the System.map file (even though this is a fake System.map file created by Debian) be readable by anyone besides root. --- ...m.map-file-permission-only-readable-.patch | 25 +++++++++++++++++++ patch/series | 3 +++ 2 files changed, 28 insertions(+) create mode 100644 patch/0001-Change-the-system.map-file-permission-only-readable-.patch diff --git a/patch/0001-Change-the-system.map-file-permission-only-readable-.patch b/patch/0001-Change-the-system.map-file-permission-only-readable-.patch new file mode 100644 index 000000000000..6671b87ba3cd --- /dev/null +++ b/patch/0001-Change-the-system.map-file-permission-only-readable-.patch @@ -0,0 +1,25 @@ +From 01e598f75f4ab650555b01116ceec4e5c8f2899b Mon Sep 17 00:00:00 2001 +From: xumia +Date: Thu, 7 Sep 2023 02:53:49 +0000 +Subject: [PATCH] Change the system.map file permission only readable by root + +--- + debian/rules.real | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/debian/rules.real b/debian/rules.real +index 3304579ad..908258789 100644 +--- a/debian/rules.real ++++ b/debian/rules.real +@@ -505,7 +505,7 @@ install-image-dbg_$(ARCH)_$(FEATURESET)_$(FLAVOUR): $(STAMPS_DIR)/build_$(ARCH)_ + dh_installdirs usr/lib/debug usr/lib/debug/boot usr/share/lintian/overrides/ + dh_lintian + install -m644 $(DIR)/vmlinux $(DEBUG_DIR)/boot/vmlinux-$(REAL_VERSION) +- install -m644 $(DIR)/System.map $(DEBUG_DIR)/boot/System.map-$(REAL_VERSION) ++ install -m600 $(DIR)/System.map $(DEBUG_DIR)/boot/System.map-$(REAL_VERSION) + +$(MAKE_CLEAN) -C $(DIR) modules_install DEPMOD='$(CURDIR)/debian/bin/no-depmod' INSTALL_MOD_PATH='$(CURDIR)'/$(DEBUG_DIR) + find $(DEBUG_DIR)/lib/modules/$(REAL_VERSION)/ -mindepth 1 -maxdepth 1 \! -name kernel -exec rm {} \+ + rm $(DEBUG_DIR)/lib/firmware -rf +-- +2.30.2 + diff --git a/patch/series b/patch/series index 5e0da595842b..533edf05c145 100755 --- a/patch/series +++ b/patch/series @@ -260,6 +260,9 @@ armhf_secondary_boot_online.patch 0029-arm64-traps-Handle-SError-interrupt.patch 0030-quirks-for-the-Pensando-qspi-controller.patch +# Security patch +0001-Change-the-system.map-file-permission-only-readable-.patch + # # ############################################################