[PATCH] [natty] packaging: make System.map mode 0600

Kees Cook kees at ubuntu.com
Fri Jan 14 20:24:57 UTC 2011

To complement the 0400 /proc/kallsyms patch, this makes the installed
System.map file mode 0600 so that security vulnerability exploitation
isn't as trivial. This, like kallsyms, does not stop a serious attacker,
since they can always just fetch the package and read the file.

I'm not aware of any non-root consumer of this file, so there should be
no impact. FWIW, my system boots fine with this change.

Signed-off-by: Kees Cook <kees.cook at canonical.com>
 debian/rules.d/2-binary-arch.mk |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/debian/rules.d/2-binary-arch.mk b/debian/rules.d/2-binary-arch.mk
index 5627af5..c289d11 100644
--- a/debian/rules.d/2-binary-arch.mk
+++ b/debian/rules.d/2-binary-arch.mk
@@ -67,7 +67,7 @@ endif
 	install -m644 $(abidir)/$* \
-	install -m644 $(builddir)/build-$*/System.map \
+	install -m600 $(builddir)/build-$*/System.map \
 ifeq ($(no_dumpfile),)
 	makedumpfile -g $(pkgdir)/boot/vmcoreinfo-$(abi_release)-$* \

Kees Cook
Ubuntu Security Team

More information about the kernel-team mailing list