Change the system.map file permission only readable by root (#368)

Author: xumia

patch/0001-Change-the-system.map-file-permission-only-readable-.patch

@@ -1,25 +1,42 @@
-From 01e598f75f4ab650555b01116ceec4e5c8f2899b Mon Sep 17 00:00:00 2001
-From: xumia <xumia@contoso.com>
-Date: Thu, 7 Sep 2023 02:53:49 +0000
+From 0ec2a0c7a1380d55072fa3661abf8a33215b3dd6 Mon Sep 17 00:00:00 2001
+From: xumia <xumia@microsoft.com>
+Date: Sun, 10 Dec 2023 01:02:27 +0000
 Subject: [PATCH] Change the system.map file permission only readable by root
 
 ---
- debian/rules.real | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
+ debian/rules.real | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
 
 diff --git a/debian/rules.real b/debian/rules.real
-index 3304579ad..908258789 100644
+index 98ee4ac7a..5f1d8a665 100644
 --- a/debian/rules.real
 +++ b/debian/rules.real
-@@ -505,7 +505,7 @@ install-image-dbg_$(ARCH)_$(FEATURESET)_$(FLAVOUR): $(STAMPS_DIR)/build_$(ARCH)_
- 	dh_installdirs usr/lib/debug usr/lib/debug/boot usr/share/lintian/overrides/
+@@ -191,7 +191,7 @@ endif
+ 	dh_bugfiles
  	dh_lintian
+ 	dh_compress
+-	dh_fixperms
++	dh_fixperms -XSystem.map-*
+ 	dh_installdeb
+ 	dh_gencontrol -- $(GENCONTROL_ARGS)
+ 	dh_md5sums
+@@ -383,6 +383,7 @@ endif
+ 	sed '/CONFIG_\(MODULE_SIG_\(ALL\|KEY\)\|SYSTEM_TRUSTED_KEYS\|BUILD_SALT\)[ =]/d' $(DIR)/.config > $(DESTDIR)/boot/config-$(REAL_VERSION)
+ 	echo "ffffffffffffffff B The real System.map is in the linux-image-<version>-dbg package" \
+ 		> $(DESTDIR)/boot/System.map-$(REAL_VERSION)
++	chmod 600 $(DESTDIR)/boot/System.map-$(REAL_VERSION)
+ 	rm -f $(DESTDIR)/lib/modules/$(REAL_VERSION)/build
+ 	rm -f $(DESTDIR)/lib/modules/$(REAL_VERSION)/source
+ 	rm $(DESTDIR)/lib/firmware -rf
+@@ -435,7 +436,7 @@ binary_image-dbg: $(STAMPS_DIR)/build_$(ARCH)_$(FEATURESET)_$(FLAVOUR)
+ 	dh_prep
+ 	dh_installdirs usr/lib/debug usr/lib/debug/boot usr/share/lintian/overrides/
  	install -m644 $(DIR)/vmlinux $(DEBUG_DIR)/boot/vmlinux-$(REAL_VERSION)
 -	install -m644 $(DIR)/System.map $(DEBUG_DIR)/boot/System.map-$(REAL_VERSION)
 +	install -m600 $(DIR)/System.map $(DEBUG_DIR)/boot/System.map-$(REAL_VERSION)
- 	+$(MAKE_CLEAN) -C $(DIR) modules_install DEPMOD='$(CURDIR)/debian/bin/no-depmod' INSTALL_MOD_PATH='$(CURDIR)'/$(DEBUG_DIR)
+ 	+$(MAKE_CLEAN) -C $(DIR) modules_install DEPMOD='$(CURDIR)/debian/bin/no-depmod' INSTALL_MOD_PATH=$(DEBUG_DIR)
  	find $(DEBUG_DIR)/lib/modules/$(REAL_VERSION)/ -mindepth 1 -maxdepth 1 \! -name kernel -exec rm {} \+
  	rm $(DEBUG_DIR)/lib/firmware -rf
 -- 
-2.30.2
+2.25.1
 

patch/series

@@ -185,8 +185,7 @@ cisco-npu-disable-other-bars.patch
 0024-drivers-soc-pensando-penfw-driver.patch
 
 # Security patch
-# TODO: update for bookworm
-#0001-Change-the-system.map-file-permission-only-readable-.patch
+0001-Change-the-system.map-file-permission-only-readable-.patch
 
 #
 #