From patchwork Sat Sep 17 19:24:46 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 5999 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4MVLVj0g3tz3wbV for ; Sat, 17 Sep 2022 19:25:01 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4MVLVf6DpbzcR; Sat, 17 Sep 2022 19:24:58 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4MVLVf4wSJz2y4r; Sat, 17 Sep 2022 19:24:58 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4MVLVd652dz2xVx for ; Sat, 17 Sep 2022 19:24:57 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4MVLVb2TLWzBv for ; Sat, 17 Sep 2022 19:24:54 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1663442697; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=2uUHwrMyhIZQLvVrReb0m6FZ/3z0xxtP3+HsV5di5VM=; b=lps2Hm+Fl/3YECN6zrncl9Be4//poVQobGvhKLt4SJKI0CpMDFeUiLVbyI6mxoDJ/Xrkpm ZMMqnQd+obpO6FBQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1663442697; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=2uUHwrMyhIZQLvVrReb0m6FZ/3z0xxtP3+HsV5di5VM=; b=Oo5Cv2C3tv77G9tKCm2K+Zrn4rSM03UXNOMhMrUIh7H4Qa8KnrZWMZWGpWVdhfhMLE35nF smCwXAM29IG/ZsfLBnwUFnGs5SViv31jmtuXfsxszb5y7xOIqSXjLtjwWfABsdkNQYMHAM Km/ii53X2LFweA6s2yQMQ0NdLp7Ob+l6S8AhWUNERfvwBF5Um7oYpm7sub7yl1+eeRpWbp jHCtzXds3vu1V1O2JXDA8B2k1nfgu9eB4fQefDejB7ib4eYi3mW7eVEKSHd2oSqMySCc2R Q7UCBnJ00uzKN+9K+p7GidghlBRn79qB06P6XoxfQquByqjDHBJDA+TFclgX1A== Message-ID: Date: Sat, 17 Sep 2022 19:24:46 +0000 MIME-Version: 1.0 Content-Language: en-US To: "IPFire: Development" From: =?utf-8?q?Peter_M=C3=BCller?= Subject: [RFC PATCH] kernel: Disable CONFIG_DEBUG_FS X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" According to the kernel's documentation, > debugfs is a virtual file system that kernel developers use to put > debugging files into. Enable this option to be able to read and > write to these files. There is no legitimate reason why one has to do so on an IPFire machine. Further, the vast debugging options (i.e. related to various drivers) have never been enabled, limiting the use of this virtual file system even further. This patch therefore proposes to disable it entirely, since its potential security impact outweights its benefits. Due to operational constraints, changes to ARM kernel configurations will be made if this patch is approved for x86_64. Signed-off-by: Peter Müller Reviewed-by: Michael Tremer --- config/kernel/kernel.config.x86_64-ipfire | 45 +++-------------------- 1 file changed, 5 insertions(+), 40 deletions(-) diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index aa1e847dd..5dcdc9d7e 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -78,7 +78,6 @@ CONFIG_GENERIC_IRQ_MATRIX_ALLOCATOR=y CONFIG_GENERIC_IRQ_RESERVATION_MODE=y CONFIG_IRQ_FORCED_THREADING=y CONFIG_SPARSE_IRQ=y -# CONFIG_GENERIC_IRQ_DEBUGFS is not set # end of IRQ subsystem CONFIG_CLOCKSOURCE_WATCHDOG=y @@ -158,7 +157,6 @@ CONFIG_RCU_NEED_SEGCBLIST=y CONFIG_LOG_BUF_SHIFT=18 CONFIG_LOG_CPU_MAX_BUF_SHIFT=12 CONFIG_PRINTK_SAFE_LOG_BUF_SHIFT=13 -# CONFIG_PRINTK_INDEX is not set CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y # @@ -330,7 +328,6 @@ CONFIG_X86_EXTENDED_PLATFORM=y CONFIG_X86_INTEL_LPSS=y CONFIG_X86_AMD_PLATFORM_DEVICE=y CONFIG_IOSF_MBI=y -# CONFIG_IOSF_MBI_DEBUG is not set CONFIG_X86_SUPPORTS_MEMORY_FAILURE=y CONFIG_SCHED_OMIT_FRAME_POINTER=y CONFIG_HYPERVISOR_GUEST=y @@ -348,7 +345,6 @@ CONFIG_XEN_PVHVM=y CONFIG_XEN_PVHVM_SMP=y CONFIG_XEN_PVHVM_GUEST=y CONFIG_XEN_SAVE_RESTORE=y -CONFIG_XEN_DEBUG_FS=y CONFIG_XEN_PVH=y CONFIG_XEN_DOM0=y CONFIG_KVM_GUEST=y @@ -398,7 +394,6 @@ CONFIG_X86_MCELOG_LEGACY=y CONFIG_X86_MCE_INTEL=y CONFIG_X86_MCE_AMD=y CONFIG_X86_MCE_THRESHOLD=y -# CONFIG_X86_MCE_INJECT is not set # # Performance monitoring @@ -421,7 +416,6 @@ CONFIG_X86_MSR=y CONFIG_X86_CPUID=y # CONFIG_X86_5LEVEL is not set CONFIG_X86_DIRECT_GBPAGES=y -# CONFIG_X86_CPA_STATISTICS is not set # CONFIG_AMD_MEM_ENCRYPT is not set # CONFIG_NUMA is not set CONFIG_ARCH_SPARSEMEM_ENABLE=y @@ -543,7 +537,6 @@ CONFIG_ACPI_CONTAINER=y CONFIG_ACPI_HOTPLUG_IOAPIC=y CONFIG_ACPI_SBS=m CONFIG_ACPI_HED=y -# CONFIG_ACPI_CUSTOM_METHOD is not set # CONFIG_ACPI_BGRT is not set # CONFIG_ACPI_REDUCED_HARDWARE_ONLY is not set CONFIG_ACPI_NFIT=m @@ -554,7 +547,6 @@ CONFIG_ACPI_APEI=y CONFIG_ACPI_APEI_GHES=y CONFIG_ACPI_APEI_PCIEAER=y CONFIG_ACPI_APEI_MEMORY_FAILURE=y -# CONFIG_ACPI_APEI_EINJ is not set # CONFIG_ACPI_APEI_ERST_DEBUG is not set # CONFIG_ACPI_DPTF is not set CONFIG_ACPI_WATCHDOG=y @@ -772,7 +764,6 @@ CONFIG_ARCH_HAS_STRICT_MODULE_RWX=y CONFIG_STRICT_MODULE_RWX=y CONFIG_HAVE_ARCH_PREL32_RELOCATIONS=y CONFIG_ARCH_USE_MEMREMAP_PROT=y -CONFIG_LOCK_EVENT_COUNTS=y CONFIG_ARCH_HAS_MEM_ENCRYPT=y CONFIG_HAVE_STATIC_CALL=y CONFIG_HAVE_STATIC_CALL_INLINE=y @@ -785,7 +776,6 @@ CONFIG_ARCH_HAS_PARANOID_L1D_FLUSH=y # # GCOV-based kernel profiling # -# CONFIG_GCOV_KERNEL is not set CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y # end of GCOV-based kernel profiling @@ -837,8 +827,6 @@ CONFIG_BLK_DEV_THROTTLING=y # CONFIG_BLK_CGROUP_FC_APPID is not set # CONFIG_BLK_CGROUP_IOCOST is not set # CONFIG_BLK_CGROUP_IOPRIO is not set -CONFIG_BLK_DEBUG_FS=y -CONFIG_BLK_DEBUG_FS_ZONED=y # CONFIG_BLK_SED_OPAL is not set CONFIG_BLK_INLINE_ENCRYPTION=y CONFIG_BLK_INLINE_ENCRYPTION_FALLBACK=y @@ -971,7 +959,10 @@ CONFIG_VMAP_PFN=y CONFIG_ARCH_USES_HIGH_VMA_FLAGS=y CONFIG_ARCH_HAS_PKEYS=y # CONFIG_PERCPU_STATS is not set -# CONFIG_GUP_TEST is not set + +# +# GUP_TEST needs to have DEBUG_FS enabled +# # CONFIG_READ_ONLY_THP_FOR_FS is not set CONFIG_ARCH_HAS_PTE_SPECIAL=y CONFIG_MAPPING_DIRTY_HELPERS=y @@ -1464,7 +1455,6 @@ CONFIG_ATM_CLIP=m CONFIG_ATM_BR2684=m # CONFIG_ATM_BR2684_IPFILTER is not set CONFIG_L2TP=m -# CONFIG_L2TP_DEBUGFS is not set CONFIG_L2TP_V3=y CONFIG_L2TP_IP=m CONFIG_L2TP_ETH=m @@ -1677,7 +1667,6 @@ CONFIG_CFG80211_EXTRA_REGDB_KEYDIR="" CONFIG_CFG80211_REG_CELLULAR_HINTS=y CONFIG_CFG80211_REG_RELAX_NO_IR=y CONFIG_CFG80211_DEFAULT_PS=y -# CONFIG_CFG80211_DEBUGFS is not set CONFIG_CFG80211_CRDA_SUPPORT=y CONFIG_CFG80211_WEXT=y CONFIG_CFG80211_WEXT_EXPORT=y @@ -1693,7 +1682,6 @@ CONFIG_MAC80211_RC_DEFAULT_MINSTREL=y CONFIG_MAC80211_RC_DEFAULT="minstrel_ht" CONFIG_MAC80211_MESH=y CONFIG_MAC80211_LEDS=y -# CONFIG_MAC80211_DEBUGFS is not set # CONFIG_MAC80211_MESSAGE_TRACING is not set # CONFIG_MAC80211_DEBUG_MENU is not set CONFIG_MAC80211_STA_HASH_MAX_SIZE=0 @@ -1867,7 +1855,6 @@ CONFIG_DMA_SHARED_BUFFER=y # Bus devices # CONFIG_MHI_BUS=m -# CONFIG_MHI_BUS_DEBUG is not set # CONFIG_MHI_BUS_PCI_GENERIC is not set # end of Bus devices @@ -2168,7 +2155,6 @@ CONFIG_LIBFCOE=m CONFIG_FCOE=m CONFIG_FCOE_FNIC=m CONFIG_SCSI_SNIC=m -CONFIG_SCSI_SNIC_DEBUG_FS=y CONFIG_SCSI_DMX3191D=m CONFIG_SCSI_FDOMAIN=m CONFIG_SCSI_FDOMAIN_PCI=m @@ -2195,7 +2181,6 @@ CONFIG_SCSI_QLA_ISCSI=m CONFIG_QEDI=m CONFIG_QEDF=m CONFIG_SCSI_LPFC=m -# CONFIG_SCSI_LPFC_DEBUG_FS is not set CONFIG_SCSI_DC395x=m CONFIG_SCSI_AM53C974=m CONFIG_SCSI_WD719X=m @@ -2626,10 +2611,8 @@ CONFIG_NET_VENDOR_LITEX=y CONFIG_NET_VENDOR_MARVELL=y CONFIG_MVMDIO=m CONFIG_SKGE=m -# CONFIG_SKGE_DEBUG is not set CONFIG_SKGE_GENESIS=y CONFIG_SKY2=m -# CONFIG_SKY2_DEBUG is not set CONFIG_PRESTERA=m CONFIG_PRESTERA_PCI=m CONFIG_NET_VENDOR_MELLANOX=y @@ -2955,7 +2938,6 @@ CONFIG_ATH9K_BTCOEX_SUPPORT=y CONFIG_ATH9K=m CONFIG_ATH9K_PCI=y CONFIG_ATH9K_AHB=y -# CONFIG_ATH9K_DEBUGFS is not set CONFIG_ATH9K_DFS_CERTIFIED=y # CONFIG_ATH9K_DYNACK is not set # CONFIG_ATH9K_WOW is not set @@ -2964,7 +2946,6 @@ CONFIG_ATH9K_RFKILL=y CONFIG_ATH9K_PCOEM=y CONFIG_ATH9K_PCI_NO_EEPROM=m CONFIG_ATH9K_HTC=m -# CONFIG_ATH9K_HTC_DEBUGFS is not set CONFIG_ATH9K_HWRNG=y CONFIG_CARL9170=m CONFIG_CARL9170_LEDS=y @@ -2975,14 +2956,12 @@ CONFIG_AR5523=m CONFIG_WIL6210=m CONFIG_WIL6210_ISR_COR=y CONFIG_WIL6210_TRACING=y -# CONFIG_WIL6210_DEBUGFS is not set CONFIG_ATH10K=m CONFIG_ATH10K_CE=y CONFIG_ATH10K_PCI=m CONFIG_ATH10K_SDIO=m CONFIG_ATH10K_USB=m CONFIG_ATH10K_DEBUG=y -# CONFIG_ATH10K_DEBUGFS is not set # CONFIG_ATH10K_TRACING is not set CONFIG_ATH10K_DFS_CERTIFIED=y CONFIG_WCN36XX=m @@ -3241,7 +3220,6 @@ CONFIG_XEN_NETDEV_BACKEND=m CONFIG_VMXNET3=m CONFIG_FUJITSU_ES=m CONFIG_HYPERV_NET=m -# CONFIG_NETDEVSIM is not set CONFIG_NET_FAILOVER=m # CONFIG_ISDN is not set @@ -5116,7 +5094,6 @@ CONFIG_DRM_AMDGPU=m CONFIG_DRM_AMD_DC=y CONFIG_DRM_AMD_DC_DCN=y # CONFIG_DRM_AMD_DC_HDCP is not set -# CONFIG_DRM_AMD_SECURE_DISPLAY is not set # end of Display Engine Configuration # CONFIG_HSA_AMD is not set @@ -5371,7 +5348,6 @@ CONFIG_SND_DEBUG=y # CONFIG_SND_DEBUG_VERBOSE is not set CONFIG_SND_PCM_XRUN_DEBUG=y # CONFIG_SND_CTL_VALIDATION is not set -# CONFIG_SND_JACK_INJECTION_DEBUG is not set CONFIG_SND_VMASTER=y CONFIG_SND_DMA_SGBUF=y CONFIG_SND_CTL_LED=m @@ -6211,7 +6187,6 @@ CONFIG_DMA_ENGINE_RAID=y # DMABUF options # CONFIG_SYNC_FILE=y -CONFIG_SW_SYNC=y # CONFIG_UDMABUF is not set # CONFIG_DMABUF_MOVE_NOTIFY is not set # CONFIG_DMABUF_DEBUG is not set @@ -6487,7 +6462,6 @@ CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_IO_PGTABLE=y # end of Generic IOMMU Pagetable Support -# CONFIG_IOMMU_DEBUGFS is not set CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # CONFIG_IOMMU_DEFAULT_DMA_LAZY is not set # CONFIG_IOMMU_DEFAULT_PASSTHROUGH is not set @@ -6633,7 +6607,6 @@ CONFIG_GENERIC_PHY=y # end of Performance monitor support CONFIG_RAS=y -# CONFIG_RAS_CEC is not set # CONFIG_USB4 is not set # @@ -6838,7 +6811,6 @@ CONFIG_PSTORE_DEFLATE_COMPRESS_DEFAULT=y CONFIG_PSTORE_COMPRESS_DEFAULT="deflate" # CONFIG_PSTORE_CONSOLE is not set # CONFIG_PSTORE_PMSG is not set -# CONFIG_PSTORE_FTRACE is not set # CONFIG_PSTORE_RAM is not set # CONFIG_PSTORE_BLK is not set # CONFIG_SYSV_FS is not set @@ -7369,7 +7341,6 @@ CONFIG_NEED_DMA_MAP_STATE=y CONFIG_ARCH_DMA_ADDR_T_64BIT=y CONFIG_SWIOTLB=y # CONFIG_DMA_API_DEBUG is not set -# CONFIG_DMA_MAP_BENCHMARK is not set CONFIG_SGL_ALLOC=y CONFIG_CHECK_SIGNATURE=y CONFIG_CPU_RMAP=y @@ -7443,10 +7414,7 @@ CONFIG_STACK_VALIDATION=y # Generic Kernel Debugging Instruments # # CONFIG_MAGIC_SYSRQ is not set -CONFIG_DEBUG_FS=y -CONFIG_DEBUG_FS_ALLOW_ALL=y -# CONFIG_DEBUG_FS_DISALLOW_MOUNT is not set -# CONFIG_DEBUG_FS_ALLOW_NONE is not set +# CONFIG_DEBUG_FS is not set CONFIG_HAVE_ARCH_KGDB=y # CONFIG_KGDB is not set CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y @@ -7472,7 +7440,6 @@ CONFIG_ARCH_HAS_DEBUG_WX=y CONFIG_DEBUG_WX=y CONFIG_GENERIC_PTDUMP=y CONFIG_PTDUMP_CORE=y -# CONFIG_PTDUMP_DEBUGFS is not set # CONFIG_DEBUG_OBJECTS is not set # CONFIG_SLUB_STATS is not set CONFIG_HAVE_DEBUG_KMEMLEAK=y @@ -7665,7 +7632,6 @@ CONFIG_IO_DELAY_0X80=y # CONFIG_IO_DELAY_0XED is not set # CONFIG_IO_DELAY_UDELAY is not set # CONFIG_IO_DELAY_NONE is not set -# CONFIG_DEBUG_BOOT_PARAMS is not set # CONFIG_CPA_DEBUG is not set # CONFIG_DEBUG_ENTRY is not set # CONFIG_DEBUG_NMI_SELFTEST is not set @@ -7688,6 +7654,5 @@ CONFIG_CC_HAS_SANCOV_TRACE_PC=y # CONFIG_RUNTIME_TESTING_MENU is not set CONFIG_ARCH_USE_MEMTEST=y # CONFIG_MEMTEST is not set -# CONFIG_HYPERV_TESTING is not set # end of Kernel Testing and Coverage # end of Kernel hacking