kernel: restrict permissions on System.map

This is good practice although the security benefit is limited, since unprivileged containers would need a volume mount to access the file, and could be running as root. Signed-off-by: Ben Cressey <[email protected]>
bottlerocket-os · Jun 17, 2022 · ebfbe7f · ebfbe7f
1 parent 803ffce
commit ebfbe7f
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 0 deletions.
diff --git a/packages/kernel-5.10/kernel-5.10.spec b/packages/kernel-5.10/kernel-5.10.spec
@@ -146,6 +146,9 @@ sed -i \
   -e 's,$(CONFIG_SYSTEM_TRUSTED_KEYRING),n,g' \
   scripts/Makefile
 
+# Restrict permissions on System.map.
+chmod 600 System.map
+
 (
   find * \
     -type f \

diff --git a/packages/kernel-5.4/kernel-5.4.spec b/packages/kernel-5.4/kernel-5.4.spec
@@ -153,6 +153,9 @@ sed -i \
   -e 's,$(CONFIG_SYSTEM_TRUSTED_KEYRING),n,g' \
   scripts/Makefile
 
+# Restrict permissions on System.map.
+chmod 600 System.map
+
 (
   find * \
     -type f \