From 5f6efd2822ada666c29effd8d3b0ce9eb79e1b63 Mon Sep 17 00:00:00 2001
From: Adriaan de Groot <groot@kde.org>
Date: Fri, 5 Jul 2019 13:17:55 +0200
Subject: [PATCH] [initcpio] Improve security by making initramfs files not
 world-readable

---
 src/modules/initcpio/InitcpioJob.cpp | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/src/modules/initcpio/InitcpioJob.cpp b/src/modules/initcpio/InitcpioJob.cpp
index 89c8a906d..0b96ddcd2 100644
--- a/src/modules/initcpio/InitcpioJob.cpp
+++ b/src/modules/initcpio/InitcpioJob.cpp
@@ -23,6 +23,9 @@
 #include "utils/UMask.h"
 #include "utils/Variant.h"
 
+#include <QDir>
+#include <QFile>
+
 InitcpioJob::InitcpioJob( QObject* parent )
     : Calamares::CppJob( parent )
 {
@@ -37,12 +40,31 @@ InitcpioJob::prettyName() const
     return tr( "Creating initramfs with mkinitcpio." );
 }
 
+static void
+fixPermissions( const QDir& d )
+{
+    for ( const auto& fi : d.entryInfoList( { "initramfs*" }, QDir::Files ) )
+    {
+        QFile f( fi.absoluteFilePath() );
+        if ( f.exists() )
+        {
+            cDebug() << "initcpio fixing permissions for" << f.fileName();
+            f.setPermissions( QFileDevice::ReadOwner | QFileDevice::WriteOwner );
+        }
+    }
+}
 
 Calamares::JobResult
 InitcpioJob::exec()
 {
     CalamaresUtils::UMask m( CalamaresUtils::UMask::Safe );
 
+    QDir d( CalamaresUtils::System::instance()->targetPath( "/boot" ) );
+    if ( d.exists() )
+    {
+        fixPermissions( d );
+    }
+    
     cDebug() << "Updating initramfs with kernel" << m_kernel;
     auto r = CalamaresUtils::System::instance()->targetEnvCommand(
         { "mkinitcpio", "-p", m_kernel }, QString(), QString(), 0 );