Package: kernel-package Version: 12.036+nmu1 Severity: wishlist As part of an effort to deter kernel exploits [1], System.map and the kernel image should be made readable by root only, to prevent attackers from getting knowledge of kernel addresses.
A patch would look like this: --- ruleset/targets/image.mk 2011-02-24 02:23:38.000000000 +0100 +++ ruleset/targets/image.mk 2011-02-25 01:40:57.000000000 +0100 @@ -168,7 +168,7 @@ ifeq ($(strip $(HAVE_INST_PATH)),) test ! -f System.map || cp System.map \ $(TMPTOP)/$(IMAGEDIR)/System.map-$(KERNELRELEASE); - test ! -f System.map || chmod 644 \ + test ! -f System.map || chmod 600 \ $(TMPTOP)/$(IMAGEDIR)/System.map-$(KERNELRELEASE); cp $(kimagesrc) $(kimagedest) else @@ -180,12 +180,12 @@ endif ifeq ($(strip $(HAVE_COFF_IMAGE)),YES) cp $(coffsrc) $(coffdest) - chmod 644 $(coffdest) + chmod 600 $(coffdest) endif ifeq ($(strip $(int_install_vmlinux)),YES) ifneq ($(strip $(kelfimagesrc)),) cp $(kelfimagesrc) $(kelfimagedest) - chmod 644 $(kelfimagedest) + chmod 600 $(kelfimagedest) endif endif ###################################################################### @@ -197,12 +197,12 @@ endif # Set permissions on the image ifeq ($(strip $(KERNEL_ARCH)),um) - chmod 755 $(kimagedest); + chmod 700 $(kimagedest); ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS))) strip --strip-unneeded --remove-section=.note --remove-section=.comment $(kimagedest); endif else - chmod 644 $(kimagedest); + chmod 600 $(kimagedest); endif ###################################################################### ### Hooks and information However, later all permissions are reset by a big chmod: @@ -331,6 +331,7 @@ $(create_md5sum) $(TMPTOP) chmod -R og=rX $(TMPTOP) chown -R root:root $(TMPTOP) + chmod og-rx $(TMPTOP)/$(IMAGEDIR)/System.map-$(KERNELRELEASE) $(kimagedest) dpkg --build $(TMPTOP) $(DEB_DEST) ifeq ($(strip $(do_clean)),YES) # just to be sure we are not nuking ./debian What is this chmod for? The above snippet works for me, but is kind of lame. And I guess the debug taget should be modified too. [1] http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.37.y.git;a=commitdiff;h=59365d136d205cc20fe666ca7f89b1c5001b0d5a -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.37.1-grsec (SMP w/4 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages kernel-package depends on: ii binutils 2.21.0.20110216-2 The GNU assembler, linker and bina ii build-essential 11.5 Informational list of build-essent ii debianutils 3.4.4 Miscellaneous utilities specific t ii file 5.04-5 Determines file type using "magic" ii gettext 0.18.1.1-3 GNU Internationalization utilities ii make 3.81-8 An utility for Directing compilati ii module-init-tools 3.12-1 tools for managing Linux kernel mo ii po-debconf 1.0.16+nmu1 tool for managing templates file t ii util-linux 2.17.2-9.1 Miscellaneous system utilities Versions of packages kernel-package recommends: ii cpio 2.11-7 GNU cpio -- a program to manage ar Versions of packages kernel-package suggests: pn btrfs-tools <none> (no description available) ii bzip2 1.0.5-6 high-quality block-sorting file co pn docbook-utils <none> (no description available) ii e2fsprogs 1.41.12-2 ext2/ext3/ext4 file system utiliti ii grub 0.97-64 GRand Unified Bootloader (dummy pa pn jfsutils <none> (no description available) ii libncurses5-dev [libncurs 5.7+20100313-5 developer's libraries and docs for pn linux-initramfs-tool <none> (no description available) pn linux-source | kernel-sou <none> (no description available) pn mcelog <none> (no description available) pn oprofile <none> (no description available) pn pcmciautils <none> (no description available) pn ppp <none> (no description available) ii procps 1:3.2.8-10 /proc file system utilities pn quota <none> (no description available) pn reiserfsprogs <none> (no description available) pn squashfs-tools <none> (no description available) ii udev 166-1 /dev/ and hotplug management daemo pn xfsprogs <none> (no description available) pn xmlto <none> (no description available) -- Configuration Files: /etc/kernel-pkg.conf changed [not included] -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org