From eef7feef4a302c844d4c7fd1f8313e0bc188a104 Mon Sep 17 00:00:00 2001
From: Gauthier Jolly <gauthier.jolly@canonical.com>
Date: Wed, 17 Mar 2021 17:01:12 +0000
Subject: [PATCH] ubuntu-cpc: secure esp mountpoint (LP: #1881006)

Change mount option for ubuntu-cpc images from "defaults" to
"umask=0077". ESP partitions might contain sensitive data and
non-root users shouldn't have read access on it.
---
 debian/changelog                                         | 9 +++++++++
 .../ubuntu-cpc/hooks.d/base/disk-image-uefi.binary       | 2 +-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/debian/changelog b/debian/changelog
index 44842f5f..f8668feb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+livecd-rootfs (2.408.68) UNRELEASED; urgency=medium
+
+  * ubuntu-cpc: secure esp mountpoint (LP: #1881006)
+    Change mount option for ubuntu-cpc images from "defaults" to "umask=0077"
+    ESP partitions might contain sensitive data and non-root users shouldn't
+    have read access on it.
+
+ -- Gauthier Jolly <gauthier.jolly@canonical.com>  Wed, 17 Mar 2021 16:55:37 +0000
+
 livecd-rootfs (2.408.67) xenial; urgency=medium
 
   * Revert "esp: install grub in ubuntu bootloader id path, instead of
diff --git a/live-build/ubuntu-cpc/hooks.d/base/disk-image-uefi.binary b/live-build/ubuntu-cpc/hooks.d/base/disk-image-uefi.binary
index 110377b4..fa0a3ed6 100755
--- a/live-build/ubuntu-cpc/hooks.d/base/disk-image-uefi.binary
+++ b/live-build/ubuntu-cpc/hooks.d/base/disk-image-uefi.binary
@@ -49,7 +49,7 @@ create_and_mount_uefi_partition() {
     mount "${uefi_dev}" "$mountpoint"/boot/efi
 
     cat << EOF >> "mountpoint/etc/fstab"
-LABEL=UEFI	/boot/efi	vfat	defaults	0 1
+LABEL=UEFI	/boot/efi	vfat	umask=0077	0 1
 EOF
 }