Not so easy. Will result in an error when reinstalling the package.
sudo rm /boot/System.map-4.19.0-5-amd64 sudo touch /boot/System.map-4.19.0-5-amd64 sudo chattr +i /boot/System.map-4.19.0-5-amd64 sudo apt install --reinstall linux-image-4.19.0-5-amd64
Will just be overwritten on upgrade.
dpkg: error processing archive /var/cache/apt/archives/linux-image-4.19.0-5-amd64_4.19.37-5+deb10u1_amd64.deb (–unpack):
unable to make backup link of ‘./boot/System.map-4.19.0-5-amd64’ before installing new version: Operation not permitted
dpkg-deb: error: paste subprocess was killed by signal (Broken pipe)
I: /vmlinuz is now a symlink to boot/vmlinuz-4.19.0-4-amd64
I: /initrd.img is now a symlink to boot/initrd.img-4.19.0-4-amd64
Errors were encountered while processing:
E: Sub-process /usr/bin/dpkg returned an error code (1)
Then it’s also not that hard to hardcode whatever information required from system map into the malware itself (for a few common kernel versions). Looking up required information by parsing system map sounds like a rather advanced attack?
Also path to
/boot/System.map-4.19.0-5-amd64 cannot be easily determined. Perhaps by looking parsing apt-file list kernel-package or by using information from uname and dynamically creating the name of the file.
If we create our own kernel package we can wipe that file before creating the package or when users compile their own kernel they can wipe it.