From ebfbe7f70b0a960e32f580dc41ecf3f65c9c90a6 Mon Sep 17 00:00:00 2001
From: Ben Cressey <bcressey@amazon.com>
Date: Sun, 5 Jun 2022 18:59:57 +0000
Subject: [PATCH] kernel: restrict permissions on System.map

This is good practice although the security benefit is limited, since
unprivileged containers would need a volume mount to access the file,
and could be running as root.

Signed-off-by: Ben Cressey <bcressey@amazon.com>
---
 packages/kernel-5.10/kernel-5.10.spec | 3 +++
 packages/kernel-5.4/kernel-5.4.spec   | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/packages/kernel-5.10/kernel-5.10.spec b/packages/kernel-5.10/kernel-5.10.spec
index bf1bcc9b41c..34d7119ab6e 100644
--- a/packages/kernel-5.10/kernel-5.10.spec
+++ b/packages/kernel-5.10/kernel-5.10.spec
@@ -146,6 +146,9 @@ sed -i \
   -e 's,$(CONFIG_SYSTEM_TRUSTED_KEYRING),n,g' \
   scripts/Makefile
 
+# Restrict permissions on System.map.
+chmod 600 System.map
+
 (
   find * \
     -type f \
diff --git a/packages/kernel-5.4/kernel-5.4.spec b/packages/kernel-5.4/kernel-5.4.spec
index dfb442d0fe5..635c31401c4 100644
--- a/packages/kernel-5.4/kernel-5.4.spec
+++ b/packages/kernel-5.4/kernel-5.4.spec
@@ -153,6 +153,9 @@ sed -i \
   -e 's,$(CONFIG_SYSTEM_TRUSTED_KEYRING),n,g' \
   scripts/Makefile
 
+# Restrict permissions on System.map.
+chmod 600 System.map
+
 (
   find * \
     -type f \