Merge pull request #2223 from bcressey/boot-perms

adjust permissions for /boot and System.map

packages/kernel-5.10/kernel-5.10.spec

@@ -118,7 +118,6 @@ make -s\\\
 install -d %{buildroot}/boot
 install -T -m 0755 arch/%{_cross_karch}/boot/%{_cross_kimage} %{buildroot}/boot/vmlinuz
 install -m 0644 .config %{buildroot}/boot/config
-install -m 0644 System.map %{buildroot}/boot/System.map
 
 find %{buildroot}%{_cross_prefix} \
    \( -name .install -o -name .check -o \
@@ -147,6 +146,9 @@ sed -i \
   -e 's,$(CONFIG_SYSTEM_TRUSTED_KEYRING),n,g' \
   scripts/Makefile
 
+# Restrict permissions on System.map.
+chmod 600 System.map
+
 (
   find * \
     -type f \
@@ -226,7 +228,6 @@ ln -sf %{_usrsrc}/kernels/%{version} %{buildroot}%{kernel_libdir}/source
 %{_cross_attribution_file}
 /boot/vmlinuz
 /boot/config
-/boot/System.map
 
 %files modules
 %dir %{_cross_libdir}/modules

packages/kernel-5.4/kernel-5.4.spec

@@ -125,7 +125,6 @@ make -s\\\
 install -d %{buildroot}/boot
 install -T -m 0755 arch/%{_cross_karch}/boot/%{_cross_kimage} %{buildroot}/boot/vmlinuz
 install -m 0644 .config %{buildroot}/boot/config
-install -m 0644 System.map %{buildroot}/boot/System.map
 
 find %{buildroot}%{_cross_prefix} \
    \( -name .install -o -name .check -o \
@@ -154,6 +153,9 @@ sed -i \
   -e 's,$(CONFIG_SYSTEM_TRUSTED_KEYRING),n,g' \
   scripts/Makefile
 
+# Restrict permissions on System.map.
+chmod 600 System.map
+
 (
   find * \
     -type f \
@@ -231,7 +233,6 @@ ln -sf %{_usrsrc}/kernels/%{version} %{buildroot}%{kernel_libdir}/source
 %{_cross_attribution_file}
 /boot/vmlinuz
 /boot/config
-/boot/System.map
 
 %files modules
 %dir %{_cross_libdir}/modules

tools/rpm2img

@@ -288,6 +288,7 @@ EOF
 
 # BOTTLEROCKET-BOOT-A
 mkdir -p "${BOOT_MOUNT}/lost+found"
+chmod -R go-rwx "${BOOT_MOUNT}"
 BOOT_LABELS=$(setfiles -n -d -F -m -r "${BOOT_MOUNT}" \
     "${SELINUX_FILE_CONTEXTS}" "${BOOT_MOUNT}" \
   | awk -v root="${BOOT_MOUNT}" '{gsub(root"/","/"); gsub(root,"/"); print "ea_set", $1, "security.selinux", $4}')