Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

adjust permissions for /boot and System.map #2223

Merged
merged 3 commits into from
Jun 20, 2022
Merged

adjust permissions for /boot and System.map #2223

merged 3 commits into from
Jun 20, 2022

Conversation

bcressey
Copy link
Contributor

Issue number:
N/A

Description of changes:
System.map likely isn't used by anything on modern systems, and the copy in /boot is even less likely to be used since for most of Bottlerocket's history (until 9e4c2cc) we didn't even mount that filesystem. Since /boot is space-constrained, especially on aarch64, we should just get rid of it.

Make /boot and the remaining copy of System.map readable only by UID 0, per convention.

Testing done:
Confirmed the new permissions on a running system.

bash-5.0# ls -latr /boot
total 32997
-rwx------.  1 root root 39059968 Jun 17 20:41 vmlinuz
-rw-------.  1 root root   165786 Jun 17 20:41 config
drwx------.  2 root root     1024 Jun 17 20:44 efi
drwxr-xr-x. 19 root root     4096 Jun 17 20:44 ..
drwx------.  2 root root    12288 Jun 17 20:44 lost+found
drwx------.  2 root root     1024 Jun 17 20:44 grub
drwxr-xr-x.  5 root root     1024 Jun 17 20:44 .

bash-5.0# ls -latr /lib/modules/5.10.118/build/System.map 
-rw-------. 1 root root 5303557 Jun 17 20:39 /lib/modules/5.10.118/build/System.map

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

@bcressey
kernel: drop System.map from /boot
803ffce 
System.map is available in the kernel development tree on running
systems, and in the downloadable kmod kit. The /boot filesystem is
more space-constrained and we don't need an extra copy there.

Signed-off-by: Ben Cressey <bcressey@amazon.com>
@bcressey
kernel: restrict permissions on System.map
ebfbe7f 
This is good practice although the security benefit is limited, since
unprivileged containers would need a volume mount to access the file,
and could be running as root.

Signed-off-by: Ben Cressey <bcressey@amazon.com>
@bcressey
build: set permissions for /boot
e8faa4b 
Restrict these files to align with standard practice, even though all
the contents are publicly available through the "boot" images in the
updates repository.

Signed-off-by: Ben Cressey <bcressey@amazon.com>
foersleo
foersleo approved these changes Jun 20, 2022
View reviewed changes
Copy link
Contributor

@foersleo foersleo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me.

As far as i can tell the failed test should not be related to this change (grub build failing for one variant during configure phase due to unexpected EOF).

@bcressey bcressey merged commit 4ea71e2 into bottlerocket-os:develop Jun 20, 2022
@bcressey bcressey deleted the boot-perms branch June 20, 2022 20:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@markusboehme markusboehme markusboehme approved these changes

@arnaldo2792 arnaldo2792 arnaldo2792 approved these changes

@foersleo foersleo foersleo approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@bcressey @markusboehme @arnaldo2792 @foersleo