From 806356e483e942277901d6669139e59e36e41ca0 Mon Sep 17 00:00:00 2001
From: Gauthier Jolly <gauthier.jolly@canonical.com>
Date: Wed, 17 Mar 2021 17:01:12 +0000
Subject: [PATCH] ubuntu-cpc: secure esp mountpoint (LP: #1881006)

Change mount option for ubuntu-cpc images from "defaults" to
"umask=0077". ESP partitions might contain sensitive data and
non-root users shouldn't have read access on it.
---
 debian/changelog                                         | 9 +++++++++
 .../ubuntu-cpc/hooks.d/base/disk-image-uefi.binary       | 2 +-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/debian/changelog b/debian/changelog
index 8d5546d9..9d372713 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+livecd-rootfs (2.694.4) UNRELEASED; urgency=medium
+
+  * ubuntu-cpc: secure esp mountpoint (LP: #1881006)
+    Change mount option for ubuntu-cpc images from "defaults" to "umask=0077"
+    ESP partitions might contain sensitive data and non-root users shouldn't
+    have read access on it.
+
+ -- Gauthier Jolly <gauthier.jolly@canonical.com>  Wed, 17 Mar 2021 16:55:37 +0000
+
 livecd-rootfs (2.694.3) groovy; urgency=medium
 
   [ David Krauser ]
diff --git a/live-build/ubuntu-cpc/hooks.d/base/disk-image-uefi.binary b/live-build/ubuntu-cpc/hooks.d/base/disk-image-uefi.binary
index 64a64cfa..9c0e4453 100755
--- a/live-build/ubuntu-cpc/hooks.d/base/disk-image-uefi.binary
+++ b/live-build/ubuntu-cpc/hooks.d/base/disk-image-uefi.binary
@@ -58,7 +58,7 @@ create_and_mount_uefi_partition() {
     mount "${uefi_dev}" "$mountpoint"/boot/efi
 
     cat << EOF >> "mountpoint/etc/fstab"
-LABEL=UEFI	/boot/efi	vfat	defaults	0 1
+LABEL=UEFI	/boot/efi	vfat	umask=0077	0 1
 EOF
 }