From a551e628954830e5edc8463c18ceecf655c0248e Mon Sep 17 00:00:00 2001 From: xumia Date: Tue, 18 Jul 2023 07:44:33 +0000 Subject: [PATCH 1/3] [Security] Ensure the system.map is readable only by root --- build_debian.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/build_debian.sh b/build_debian.sh index 13e39ac73619..1fe42ed5775e 100755 --- a/build_debian.sh +++ b/build_debian.sh @@ -726,6 +726,9 @@ if [[ $TARGET_BOOTLOADER == uboot ]]; then fi fi +## Ensure the system-map readable only by root +sudo chmod 0600 /boot/System.map-* + # Collect host image version files before cleanup SONIC_VERSION_CACHE=${SONIC_VERSION_CACHE} \ DBGOPT="${DBGOPT}" \ From 08e2f33113a62a523568c8d3b56002a29558cf26 Mon Sep 17 00:00:00 2001 From: xumia Date: Tue, 18 Jul 2023 22:56:57 +0000 Subject: [PATCH 2/3] Fix chroot not use issue --- build_debian.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build_debian.sh b/build_debian.sh index 1fe42ed5775e..7e292769da72 100755 --- a/build_debian.sh +++ b/build_debian.sh @@ -727,7 +727,7 @@ if [[ $TARGET_BOOTLOADER == uboot ]]; then fi ## Ensure the system-map readable only by root -sudo chmod 0600 /boot/System.map-* +sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT sudo chmod 0600 /boot/System.map-* # Collect host image version files before cleanup SONIC_VERSION_CACHE=${SONIC_VERSION_CACHE} \ From 219f5c51897b20db98a3d2aa5db79d5fd28945f9 Mon Sep 17 00:00:00 2001 From: xumia Date: Thu, 20 Jul 2023 06:57:26 +0000 Subject: [PATCH 3/3] Fix the file pattern issue --- build_debian.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build_debian.sh b/build_debian.sh index 7e292769da72..9715371a1cd2 100755 --- a/build_debian.sh +++ b/build_debian.sh @@ -727,7 +727,7 @@ if [[ $TARGET_BOOTLOADER == uboot ]]; then fi ## Ensure the system-map readable only by root -sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT sudo chmod 0600 /boot/System.map-* +sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT bash -c 'chmod 0600 /boot/System.map-*' # Collect host image version files before cleanup SONIC_VERSION_CACHE=${SONIC_VERSION_CACHE} \