napcok/calamares
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[initcpio] Improve security by making initramfs files not world-readable

Browse Source
This commit is contained in:
Adriaan de Groot 2019-07-05 13:17:55 +02:00
parent 1a85435372
commit 5f6efd2822
1 changed files with 22 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
src/modules/initcpio/InitcpioJob.cpp
View File

@ -23,6 +23,9 @@
#include "utils/UMask.h" #include "utils/UMask.h"
#include "utils/Variant.h" #include "utils/Variant.h"
#include <QDir>
#include <QFile>
InitcpioJob::InitcpioJob( QObject* parent ) InitcpioJob::InitcpioJob( QObject* parent )
: Calamares::CppJob( parent ) : Calamares::CppJob( parent )
{ {
@ -37,12 +40,31 @@ InitcpioJob::prettyName() const
return tr( "Creating initramfs with mkinitcpio." ); return tr( "Creating initramfs with mkinitcpio." );
} }
static void
fixPermissions( const QDir& d )
{
for ( const auto& fi : d.entryInfoList( { "initramfs*" }, QDir::Files ) )
{
QFile f( fi.absoluteFilePath() );
if ( f.exists() )
{
cDebug() << "initcpio fixing permissions for" << f.fileName();
f.setPermissions( QFileDevice::ReadOwner | QFileDevice::WriteOwner );
}
}
}
Calamares::JobResult Calamares::JobResult
InitcpioJob::exec() InitcpioJob::exec()
{ {
CalamaresUtils::UMask m( CalamaresUtils::UMask::Safe ); CalamaresUtils::UMask m( CalamaresUtils::UMask::Safe );
QDir d( CalamaresUtils::System::instance()->targetPath( "/boot" ) );
if ( d.exists() )
{
fixPermissions( d );
}
cDebug() << "Updating initramfs with kernel" << m_kernel; cDebug() << "Updating initramfs with kernel" << m_kernel;
auto r = CalamaresUtils::System::instance()->targetEnvCommand( auto r = CalamaresUtils::System::instance()->targetEnvCommand(
{ "mkinitcpio", "-p", m_kernel }, QString(), QString(), 0 ); { "mkinitcpio", "-p", m_kernel }, QString(), QString(), 0 );