project-lakitu: Set file permissions of /boot/efi/boot/grub.cfg to 400 BUG=b/177854826 TEST=presubmit RELEASE_NOTE=None Change-Id: I0cd6683684602abbbf2174e12181a6051fbb8dd4 Reviewed-on: https://cos-review.googlesource.com/c/cos/overlays/board-overlays/+/11774 Tested-by: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com> Reviewed-by: Robert Kolchmeyer <rkolchmeyer@google.com> Reviewed-by: Roy Yang <royyang@google.com>

commit: 1fb997618c1dc40fa61ea45586fbfef6eace7ed0 [log] [tgz]
author: Anil Altinay <aaltinay@google.com> Sat Jan 30 00:05:31 2021 +0000
committer: Anil Altinay <aaltinay@google.com> Wed Feb 03 17:59:14 2021 +0000
tree: 27c2180acad956dff2ab01cc39cd867c9b5c8139
parent: 71da0817eede32bcfac9150b9f9d3decadc7ceb4 [diff]
diff --git a/project-lakitu/scripts/board_specific_setup.sh b/project-lakitu/scripts/board_specific_setup.sh
index 2e56ce3..fe38827 100644
--- a/project-lakitu/scripts/board_specific_setup.sh
+++ b/project-lakitu/scripts/board_specific_setup.sh

@@ -243,6 +243,9 @@
     "${root_fs_dir}"/lib/systemd/system \
     -type f -name *.timer | xargs sudo chmod go-wrx
 
+  # Set grub.cfg file permissions to 400 as recommended by CIS
+  sudo chmod 400 "${root_fs_dir}"/boot/efi/boot/grub.cfg
+
   local shim_arch=""
   if [[ "${ARCH}" == "amd64" ]]; then
     shim_arch="x64"
commit	1fb997618c1dc40fa61ea45586fbfef6eace7ed0	[log] [tgz]
author	Anil Altinay <aaltinay@google.com>	Sat Jan 30 00:05:31 2021 +0000
committer	Anil Altinay <aaltinay@google.com>	Wed Feb 03 17:59:14 2021 +0000
tree	27c2180acad956dff2ab01cc39cd867c9b5c8139
parent	71da0817eede32bcfac9150b9f9d3decadc7ceb4 [diff]