From 803ffceee742647a278a9ebb6ae35153354ed858 Mon Sep 17 00:00:00 2001 From: Ben Cressey Date: Sun, 5 Jun 2022 18:58:25 +0000 Subject: [PATCH 1/3] kernel: drop System.map from /boot System.map is available in the kernel development tree on running systems, and in the downloadable kmod kit. The /boot filesystem is more space-constrained and we don't need an extra copy there. Signed-off-by: Ben Cressey --- packages/kernel-5.10/kernel-5.10.spec | 2 -- packages/kernel-5.4/kernel-5.4.spec | 2 -- 2 files changed, 4 deletions(-) diff --git a/packages/kernel-5.10/kernel-5.10.spec b/packages/kernel-5.10/kernel-5.10.spec index 596b0e9f848..bf1bcc9b41c 100644 --- a/packages/kernel-5.10/kernel-5.10.spec +++ b/packages/kernel-5.10/kernel-5.10.spec @@ -118,7 +118,6 @@ make -s\\\ install -d %{buildroot}/boot install -T -m 0755 arch/%{_cross_karch}/boot/%{_cross_kimage} %{buildroot}/boot/vmlinuz install -m 0644 .config %{buildroot}/boot/config -install -m 0644 System.map %{buildroot}/boot/System.map find %{buildroot}%{_cross_prefix} \ \( -name .install -o -name .check -o \ @@ -226,7 +225,6 @@ ln -sf %{_usrsrc}/kernels/%{version} %{buildroot}%{kernel_libdir}/source %{_cross_attribution_file} /boot/vmlinuz /boot/config -/boot/System.map %files modules %dir %{_cross_libdir}/modules diff --git a/packages/kernel-5.4/kernel-5.4.spec b/packages/kernel-5.4/kernel-5.4.spec index a68fc54065e..dfb442d0fe5 100644 --- a/packages/kernel-5.4/kernel-5.4.spec +++ b/packages/kernel-5.4/kernel-5.4.spec @@ -125,7 +125,6 @@ make -s\\\ install -d %{buildroot}/boot install -T -m 0755 arch/%{_cross_karch}/boot/%{_cross_kimage} %{buildroot}/boot/vmlinuz install -m 0644 .config %{buildroot}/boot/config -install -m 0644 System.map %{buildroot}/boot/System.map find %{buildroot}%{_cross_prefix} \ \( -name .install -o -name .check -o \ @@ -231,7 +230,6 @@ ln -sf %{_usrsrc}/kernels/%{version} %{buildroot}%{kernel_libdir}/source %{_cross_attribution_file} /boot/vmlinuz /boot/config -/boot/System.map %files modules %dir %{_cross_libdir}/modules From ebfbe7f70b0a960e32f580dc41ecf3f65c9c90a6 Mon Sep 17 00:00:00 2001 From: Ben Cressey Date: Sun, 5 Jun 2022 18:59:57 +0000 Subject: [PATCH 2/3] kernel: restrict permissions on System.map This is good practice although the security benefit is limited, since unprivileged containers would need a volume mount to access the file, and could be running as root. Signed-off-by: Ben Cressey --- packages/kernel-5.10/kernel-5.10.spec | 3 +++ packages/kernel-5.4/kernel-5.4.spec | 3 +++ 2 files changed, 6 insertions(+) diff --git a/packages/kernel-5.10/kernel-5.10.spec b/packages/kernel-5.10/kernel-5.10.spec index bf1bcc9b41c..34d7119ab6e 100644 --- a/packages/kernel-5.10/kernel-5.10.spec +++ b/packages/kernel-5.10/kernel-5.10.spec @@ -146,6 +146,9 @@ sed -i \ -e 's,$(CONFIG_SYSTEM_TRUSTED_KEYRING),n,g' \ scripts/Makefile +# Restrict permissions on System.map. +chmod 600 System.map + ( find * \ -type f \ diff --git a/packages/kernel-5.4/kernel-5.4.spec b/packages/kernel-5.4/kernel-5.4.spec index dfb442d0fe5..635c31401c4 100644 --- a/packages/kernel-5.4/kernel-5.4.spec +++ b/packages/kernel-5.4/kernel-5.4.spec @@ -153,6 +153,9 @@ sed -i \ -e 's,$(CONFIG_SYSTEM_TRUSTED_KEYRING),n,g' \ scripts/Makefile +# Restrict permissions on System.map. +chmod 600 System.map + ( find * \ -type f \ From e8faa4b1c750806c114fdc6820f1821f3c3856f3 Mon Sep 17 00:00:00 2001 From: Ben Cressey Date: Fri, 27 May 2022 03:21:01 +0000 Subject: [PATCH 3/3] build: set permissions for /boot Restrict these files to align with standard practice, even though all the contents are publicly available through the "boot" images in the updates repository. Signed-off-by: Ben Cressey --- tools/rpm2img | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/rpm2img b/tools/rpm2img index cd325a478af..b6872b9259d 100755 --- a/tools/rpm2img +++ b/tools/rpm2img @@ -288,6 +288,7 @@ EOF # BOTTLEROCKET-BOOT-A mkdir -p "${BOOT_MOUNT}/lost+found" +chmod -R go-rwx "${BOOT_MOUNT}" BOOT_LABELS=$(setfiles -n -d -F -m -r "${BOOT_MOUNT}" \ "${SELINUX_FILE_CONTEXTS}" "${BOOT_MOUNT}" \ | awk -v root="${BOOT_MOUNT}" '{gsub(root"/","/"); gsub(root,"/"); print "ea_set", $1, "security.selinux", $4}')