Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Change the system.map file permission only readable by root #329

Merged

Conversation

xumia
Copy link
Collaborator

@xumia xumia commented Sep 7, 2023

Change the system.map file permission only readable by root

@xumia xumia requested a review from a team as a code owner September 7, 2023 03:06
@linux-foundation-easycla
Copy link

linux-foundation-easycla bot commented Sep 7, 2023

CLA Signed

The committers listed above are authorized under a signed CLA.

@xumia xumia requested a review from saiarcot895 September 7, 2023 03:06
@xumia
Copy link
Collaborator Author

xumia commented Sep 7, 2023

/easycla

@saiarcot895
Copy link
Contributor

Looks like this was opened against an older version of the master branch, can you merge/rebase against the latest changes?

@saiarcot895
Copy link
Contributor

Never mind, I see you updated it now

@saiarcot895 saiarcot895 merged commit fa40db7 into sonic-net:master Sep 7, 2023
@paulmenzel
Copy link
Contributor

@saiarcot895, why did you merge a “security patch“, that does not contain any information at all about the motivation? Why are Debian’s defaults bad?

@saiarcot895, please revert, and @xumia, please resubmit with proper description.

@saiarcot895
Copy link
Contributor

saiarcot895 commented Sep 7, 2023

@paulmenzel there are some details in sonic-net/sonic-buildimage#15893.

The short version of it is that as per OpenSCAP, the System.map file must be readable only by root. This is despite the fact that Debian already ships a fake System.map file (since there's almost never a need to use the actual contents of the file at runtime). The options to meet OpenSCAP's requirements are either to make it readable only by root, or to remove it (both of which can be done either at package installation time or during the package build time). Since it would be better to have it be consistently done at package build time (so that manual changes to files from packages are not needed), I recommended having the change be done in this repo via a patch instead.

To be clear, it's not that Debian's defaults are bad/insecure; it's just that some security projects/audits have different requirements that need to be met.

@saiarcot895
Copy link
Contributor

@xumia This patch actually needs to go into the patches/preconfig directory to have any effect. Could you make another PR to fix this?

@xumia
Copy link
Collaborator Author

xumia commented Sep 8, 2023

@xumia This patch actually needs to go into the patches/preconfig directory to have any effect. Could you make another PR to fix this?

@saiarcot895 , thanks, I have sent another PR to fix it, #331

vivekrnv added a commit to vivekrnv/sonic-linux-kernel that referenced this pull request Oct 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants