From 43eb664e7d44d963bb7b82d03215d84b47100ba0 Mon Sep 17 00:00:00 2001 From: Adriaan de Groot Date: Fri, 5 Jul 2019 11:43:40 +0200 Subject: [PATCH] [initramfs] Configure mkinitramfs to be safe SEE #1191 --- src/modules/initramfs/InitramfsJob.cpp | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/src/modules/initramfs/InitramfsJob.cpp b/src/modules/initramfs/InitramfsJob.cpp index e96855d23..c96bbb059 100644 --- a/src/modules/initramfs/InitramfsJob.cpp +++ b/src/modules/initramfs/InitramfsJob.cpp @@ -44,6 +44,17 @@ InitramfsJob::exec() CalamaresUtils::UMask m( CalamaresUtils::UMask::Safe ); cDebug() << "Updating initramfs with kernel" << m_kernel; + + // First make sure we generate a safe initramfs with suitable permissions. + static const char confFile[] = "/etc/initramfs-tools/conf.d/calamares-safe-initramfs.conf"; + static const char contents[] = "UMASK=0077\n"; + if ( CalamaresUtils::System::instance()->createTargetFile( confFile, QByteArray( contents ) ).isEmpty() ) + { + cWarning() << Logger::SubEntry << "Could not configure safe UMASK for initramfs."; + // But continue anyway. + } + + // And then do the ACTUAL work. auto r = CalamaresUtils::System::instance()->targetEnvCommand( { "update-initramfs", "-k", m_kernel, "-c", "-t" }, QString(), QString(), 0 ); return r.explainProcess( "update-initramfs", 10 );