[PATCH] packaging: really make System.map mode 0600

[Kees Cook]

799f11e9c88770eb1017a297c1a456013a80f324 tried to make System.map mode
0600. It turns out that dh_fixperms undoes that change. This patch fixes
this up, corrects perms for sub-flavors, and adds vmcoreinfo to the mode
0600 list.

Signed-off-by: Kees Cook <kees.cook at canonical.com>
---
 debian/rules.d/2-binary-arch.mk |    6 ++++--
 debian/scripts/sub-flavour      |    4 +++-
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/debian/rules.d/2-binary-arch.mk b/debian/rules.d/2-binary-arch.mk
index c289d11..c31ab14 100644
--- a/debian/rules.d/2-binary-arch.mk
+++ b/debian/rules.d/2-binary-arch.mk
@@ -72,6 +72,7 @@ endif
 ifeq ($(no_dumpfile),)
 	makedumpfile -g $(pkgdir)/boot/vmcoreinfo-$(abi_release)-$* \
 		-x $(builddir)/build-$*/vmlinux
+	chmod 0600 $(pkgdir)/boot/vmcoreinfo-$(abi_release)-$*
 endif
 
 	$(build_cd) $(kmake) $(build_O) modules_install \
@@ -92,6 +93,7 @@ endif
 ifeq ($(no_dumpfile),)
 	makedumpfile -g $(pkgdir)/boot/vmcoreinfo-$(abi_release)-$* \
 		-x $(builddir)/build-$*/vmlinux
+	chmod 0600 $(pkgdir)/boot/vmcoreinfo-$(abi_release)-$*
 endif
 	rm -f $(pkgdir)/lib/modules/$(abi_release)-$*/build
 	rm -f $(pkgdir)/lib/modules/$(abi_release)-$*/source
@@ -275,7 +277,7 @@ binary-%: install-%
 	dh_installchangelogs -p$(pkgimg)
 	dh_installdocs -p$(pkgimg)
 	dh_compress -p$(pkgimg)
-	dh_fixperms -p$(pkgimg)
+	dh_fixperms -p$(pkgimg) -X/boot/
 	dh_installdeb -p$(pkgimg)
 	dh_shlibdeps -p$(pkgimg)
 	dh_gencontrol -p$(pkgimg)
@@ -298,7 +300,7 @@ ifneq ($(skipsub),true)
 		dh_installchangelogs -p$$pkg;		\
 		dh_installdocs -p$$pkg;			\
 		dh_compress -p$$pkg;			\
-		dh_fixperms -p$$pkg;			\
+		dh_fixperms -p$$pkg -X/boot/;		\
 		dh_shlibdeps -p$$pkg;			\
 		dh_installdeb -p$$pkg;			\
 		dh_gencontrol -p$$pkg;			\
diff --git a/debian/scripts/sub-flavour b/debian/scripts/sub-flavour
index c0093a6..45456bb 100644
--- a/debian/scripts/sub-flavour
+++ b/debian/scripts/sub-flavour
@@ -11,7 +11,9 @@ from_moddir="debian/$from_pkg/lib/modules/$ABI_RELEASE-$FROM"
 to_moddir="debian/$to_pkg/lib/modules/$ABI_RELEASE-$FROM"
 
 install -d "debian/$to_pkg/boot"
-install -m644 debian/$from_pkg/boot/{vmlinuz,System.map,config}-$ABI_RELEASE-$FROM \
+install -m644 debian/$from_pkg/boot/{vmlinuz,config}-$ABI_RELEASE-$FROM \
+	debian/$to_pkg/boot/
+install -m600 debian/$from_pkg/boot/System.map-$ABI_RELEASE-$FROM \
 	debian/$to_pkg/boot/
 
 #
-- 
1.7.0.4


-- 
Kees Cook
Ubuntu Security Team