From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [RFC PATCH] kernel: Disable CONFIG_DEBUG_FS
Date: Sun, 18 Sep 2022 11:08:32 +0200 [thread overview]
Message-ID: <554CECE8-9BD4-4305-8105-9077BB5AA493@ipfire.org> (raw)
In-Reply-To: <f795cf2b-fbf4-ecec-11b1-e42473c33fce@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 10559 bytes --]
Agreed.
Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>
> On 17 Sep 2022, at 21:24, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>
> According to the kernel's documentation,
>
>> debugfs is a virtual file system that kernel developers use to put
>> debugging files into. Enable this option to be able to read and
>> write to these files.
>
> There is no legitimate reason why one has to do so on an IPFire machine.
> Further, the vast debugging options (i.e. related to various drivers)
> have never been enabled, limiting the use of this virtual file system
> even further.
>
> This patch therefore proposes to disable it entirely, since its
> potential security impact outweights its benefits. Due to operational
> constraints, changes to ARM kernel configurations will be made if this
> patch is approved for x86_64.
>
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
> config/kernel/kernel.config.x86_64-ipfire | 45 +++--------------------
> 1 file changed, 5 insertions(+), 40 deletions(-)
>
> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
> index aa1e847dd..5dcdc9d7e 100644
> --- a/config/kernel/kernel.config.x86_64-ipfire
> +++ b/config/kernel/kernel.config.x86_64-ipfire
> @@ -78,7 +78,6 @@ CONFIG_GENERIC_IRQ_MATRIX_ALLOCATOR=y
> CONFIG_GENERIC_IRQ_RESERVATION_MODE=y
> CONFIG_IRQ_FORCED_THREADING=y
> CONFIG_SPARSE_IRQ=y
> -# CONFIG_GENERIC_IRQ_DEBUGFS is not set
> # end of IRQ subsystem
>
> CONFIG_CLOCKSOURCE_WATCHDOG=y
> @@ -158,7 +157,6 @@ CONFIG_RCU_NEED_SEGCBLIST=y
> CONFIG_LOG_BUF_SHIFT=18
> CONFIG_LOG_CPU_MAX_BUF_SHIFT=12
> CONFIG_PRINTK_SAFE_LOG_BUF_SHIFT=13
> -# CONFIG_PRINTK_INDEX is not set
> CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y
>
> #
> @@ -330,7 +328,6 @@ CONFIG_X86_EXTENDED_PLATFORM=y
> CONFIG_X86_INTEL_LPSS=y
> CONFIG_X86_AMD_PLATFORM_DEVICE=y
> CONFIG_IOSF_MBI=y
> -# CONFIG_IOSF_MBI_DEBUG is not set
> CONFIG_X86_SUPPORTS_MEMORY_FAILURE=y
> CONFIG_SCHED_OMIT_FRAME_POINTER=y
> CONFIG_HYPERVISOR_GUEST=y
> @@ -348,7 +345,6 @@ CONFIG_XEN_PVHVM=y
> CONFIG_XEN_PVHVM_SMP=y
> CONFIG_XEN_PVHVM_GUEST=y
> CONFIG_XEN_SAVE_RESTORE=y
> -CONFIG_XEN_DEBUG_FS=y
> CONFIG_XEN_PVH=y
> CONFIG_XEN_DOM0=y
> CONFIG_KVM_GUEST=y
> @@ -398,7 +394,6 @@ CONFIG_X86_MCELOG_LEGACY=y
> CONFIG_X86_MCE_INTEL=y
> CONFIG_X86_MCE_AMD=y
> CONFIG_X86_MCE_THRESHOLD=y
> -# CONFIG_X86_MCE_INJECT is not set
>
> #
> # Performance monitoring
> @@ -421,7 +416,6 @@ CONFIG_X86_MSR=y
> CONFIG_X86_CPUID=y
> # CONFIG_X86_5LEVEL is not set
> CONFIG_X86_DIRECT_GBPAGES=y
> -# CONFIG_X86_CPA_STATISTICS is not set
> # CONFIG_AMD_MEM_ENCRYPT is not set
> # CONFIG_NUMA is not set
> CONFIG_ARCH_SPARSEMEM_ENABLE=y
> @@ -543,7 +537,6 @@ CONFIG_ACPI_CONTAINER=y
> CONFIG_ACPI_HOTPLUG_IOAPIC=y
> CONFIG_ACPI_SBS=m
> CONFIG_ACPI_HED=y
> -# CONFIG_ACPI_CUSTOM_METHOD is not set
> # CONFIG_ACPI_BGRT is not set
> # CONFIG_ACPI_REDUCED_HARDWARE_ONLY is not set
> CONFIG_ACPI_NFIT=m
> @@ -554,7 +547,6 @@ CONFIG_ACPI_APEI=y
> CONFIG_ACPI_APEI_GHES=y
> CONFIG_ACPI_APEI_PCIEAER=y
> CONFIG_ACPI_APEI_MEMORY_FAILURE=y
> -# CONFIG_ACPI_APEI_EINJ is not set
> # CONFIG_ACPI_APEI_ERST_DEBUG is not set
> # CONFIG_ACPI_DPTF is not set
> CONFIG_ACPI_WATCHDOG=y
> @@ -772,7 +764,6 @@ CONFIG_ARCH_HAS_STRICT_MODULE_RWX=y
> CONFIG_STRICT_MODULE_RWX=y
> CONFIG_HAVE_ARCH_PREL32_RELOCATIONS=y
> CONFIG_ARCH_USE_MEMREMAP_PROT=y
> -CONFIG_LOCK_EVENT_COUNTS=y
> CONFIG_ARCH_HAS_MEM_ENCRYPT=y
> CONFIG_HAVE_STATIC_CALL=y
> CONFIG_HAVE_STATIC_CALL_INLINE=y
> @@ -785,7 +776,6 @@ CONFIG_ARCH_HAS_PARANOID_L1D_FLUSH=y
> #
> # GCOV-based kernel profiling
> #
> -# CONFIG_GCOV_KERNEL is not set
> CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y
> # end of GCOV-based kernel profiling
>
> @@ -837,8 +827,6 @@ CONFIG_BLK_DEV_THROTTLING=y
> # CONFIG_BLK_CGROUP_FC_APPID is not set
> # CONFIG_BLK_CGROUP_IOCOST is not set
> # CONFIG_BLK_CGROUP_IOPRIO is not set
> -CONFIG_BLK_DEBUG_FS=y
> -CONFIG_BLK_DEBUG_FS_ZONED=y
> # CONFIG_BLK_SED_OPAL is not set
> CONFIG_BLK_INLINE_ENCRYPTION=y
> CONFIG_BLK_INLINE_ENCRYPTION_FALLBACK=y
> @@ -971,7 +959,10 @@ CONFIG_VMAP_PFN=y
> CONFIG_ARCH_USES_HIGH_VMA_FLAGS=y
> CONFIG_ARCH_HAS_PKEYS=y
> # CONFIG_PERCPU_STATS is not set
> -# CONFIG_GUP_TEST is not set
> +
> +#
> +# GUP_TEST needs to have DEBUG_FS enabled
> +#
> # CONFIG_READ_ONLY_THP_FOR_FS is not set
> CONFIG_ARCH_HAS_PTE_SPECIAL=y
> CONFIG_MAPPING_DIRTY_HELPERS=y
> @@ -1464,7 +1455,6 @@ CONFIG_ATM_CLIP=m
> CONFIG_ATM_BR2684=m
> # CONFIG_ATM_BR2684_IPFILTER is not set
> CONFIG_L2TP=m
> -# CONFIG_L2TP_DEBUGFS is not set
> CONFIG_L2TP_V3=y
> CONFIG_L2TP_IP=m
> CONFIG_L2TP_ETH=m
> @@ -1677,7 +1667,6 @@ CONFIG_CFG80211_EXTRA_REGDB_KEYDIR=""
> CONFIG_CFG80211_REG_CELLULAR_HINTS=y
> CONFIG_CFG80211_REG_RELAX_NO_IR=y
> CONFIG_CFG80211_DEFAULT_PS=y
> -# CONFIG_CFG80211_DEBUGFS is not set
> CONFIG_CFG80211_CRDA_SUPPORT=y
> CONFIG_CFG80211_WEXT=y
> CONFIG_CFG80211_WEXT_EXPORT=y
> @@ -1693,7 +1682,6 @@ CONFIG_MAC80211_RC_DEFAULT_MINSTREL=y
> CONFIG_MAC80211_RC_DEFAULT="minstrel_ht"
> CONFIG_MAC80211_MESH=y
> CONFIG_MAC80211_LEDS=y
> -# CONFIG_MAC80211_DEBUGFS is not set
> # CONFIG_MAC80211_MESSAGE_TRACING is not set
> # CONFIG_MAC80211_DEBUG_MENU is not set
> CONFIG_MAC80211_STA_HASH_MAX_SIZE=0
> @@ -1867,7 +1855,6 @@ CONFIG_DMA_SHARED_BUFFER=y
> # Bus devices
> #
> CONFIG_MHI_BUS=m
> -# CONFIG_MHI_BUS_DEBUG is not set
> # CONFIG_MHI_BUS_PCI_GENERIC is not set
> # end of Bus devices
>
> @@ -2168,7 +2155,6 @@ CONFIG_LIBFCOE=m
> CONFIG_FCOE=m
> CONFIG_FCOE_FNIC=m
> CONFIG_SCSI_SNIC=m
> -CONFIG_SCSI_SNIC_DEBUG_FS=y
> CONFIG_SCSI_DMX3191D=m
> CONFIG_SCSI_FDOMAIN=m
> CONFIG_SCSI_FDOMAIN_PCI=m
> @@ -2195,7 +2181,6 @@ CONFIG_SCSI_QLA_ISCSI=m
> CONFIG_QEDI=m
> CONFIG_QEDF=m
> CONFIG_SCSI_LPFC=m
> -# CONFIG_SCSI_LPFC_DEBUG_FS is not set
> CONFIG_SCSI_DC395x=m
> CONFIG_SCSI_AM53C974=m
> CONFIG_SCSI_WD719X=m
> @@ -2626,10 +2611,8 @@ CONFIG_NET_VENDOR_LITEX=y
> CONFIG_NET_VENDOR_MARVELL=y
> CONFIG_MVMDIO=m
> CONFIG_SKGE=m
> -# CONFIG_SKGE_DEBUG is not set
> CONFIG_SKGE_GENESIS=y
> CONFIG_SKY2=m
> -# CONFIG_SKY2_DEBUG is not set
> CONFIG_PRESTERA=m
> CONFIG_PRESTERA_PCI=m
> CONFIG_NET_VENDOR_MELLANOX=y
> @@ -2955,7 +2938,6 @@ CONFIG_ATH9K_BTCOEX_SUPPORT=y
> CONFIG_ATH9K=m
> CONFIG_ATH9K_PCI=y
> CONFIG_ATH9K_AHB=y
> -# CONFIG_ATH9K_DEBUGFS is not set
> CONFIG_ATH9K_DFS_CERTIFIED=y
> # CONFIG_ATH9K_DYNACK is not set
> # CONFIG_ATH9K_WOW is not set
> @@ -2964,7 +2946,6 @@ CONFIG_ATH9K_RFKILL=y
> CONFIG_ATH9K_PCOEM=y
> CONFIG_ATH9K_PCI_NO_EEPROM=m
> CONFIG_ATH9K_HTC=m
> -# CONFIG_ATH9K_HTC_DEBUGFS is not set
> CONFIG_ATH9K_HWRNG=y
> CONFIG_CARL9170=m
> CONFIG_CARL9170_LEDS=y
> @@ -2975,14 +2956,12 @@ CONFIG_AR5523=m
> CONFIG_WIL6210=m
> CONFIG_WIL6210_ISR_COR=y
> CONFIG_WIL6210_TRACING=y
> -# CONFIG_WIL6210_DEBUGFS is not set
> CONFIG_ATH10K=m
> CONFIG_ATH10K_CE=y
> CONFIG_ATH10K_PCI=m
> CONFIG_ATH10K_SDIO=m
> CONFIG_ATH10K_USB=m
> CONFIG_ATH10K_DEBUG=y
> -# CONFIG_ATH10K_DEBUGFS is not set
> # CONFIG_ATH10K_TRACING is not set
> CONFIG_ATH10K_DFS_CERTIFIED=y
> CONFIG_WCN36XX=m
> @@ -3241,7 +3220,6 @@ CONFIG_XEN_NETDEV_BACKEND=m
> CONFIG_VMXNET3=m
> CONFIG_FUJITSU_ES=m
> CONFIG_HYPERV_NET=m
> -# CONFIG_NETDEVSIM is not set
> CONFIG_NET_FAILOVER=m
> # CONFIG_ISDN is not set
>
> @@ -5116,7 +5094,6 @@ CONFIG_DRM_AMDGPU=m
> CONFIG_DRM_AMD_DC=y
> CONFIG_DRM_AMD_DC_DCN=y
> # CONFIG_DRM_AMD_DC_HDCP is not set
> -# CONFIG_DRM_AMD_SECURE_DISPLAY is not set
> # end of Display Engine Configuration
>
> # CONFIG_HSA_AMD is not set
> @@ -5371,7 +5348,6 @@ CONFIG_SND_DEBUG=y
> # CONFIG_SND_DEBUG_VERBOSE is not set
> CONFIG_SND_PCM_XRUN_DEBUG=y
> # CONFIG_SND_CTL_VALIDATION is not set
> -# CONFIG_SND_JACK_INJECTION_DEBUG is not set
> CONFIG_SND_VMASTER=y
> CONFIG_SND_DMA_SGBUF=y
> CONFIG_SND_CTL_LED=m
> @@ -6211,7 +6187,6 @@ CONFIG_DMA_ENGINE_RAID=y
> # DMABUF options
> #
> CONFIG_SYNC_FILE=y
> -CONFIG_SW_SYNC=y
> # CONFIG_UDMABUF is not set
> # CONFIG_DMABUF_MOVE_NOTIFY is not set
> # CONFIG_DMABUF_DEBUG is not set
> @@ -6487,7 +6462,6 @@ CONFIG_IOMMU_SUPPORT=y
> CONFIG_IOMMU_IO_PGTABLE=y
> # end of Generic IOMMU Pagetable Support
>
> -# CONFIG_IOMMU_DEBUGFS is not set
> CONFIG_IOMMU_DEFAULT_DMA_STRICT=y
> # CONFIG_IOMMU_DEFAULT_DMA_LAZY is not set
> # CONFIG_IOMMU_DEFAULT_PASSTHROUGH is not set
> @@ -6633,7 +6607,6 @@ CONFIG_GENERIC_PHY=y
> # end of Performance monitor support
>
> CONFIG_RAS=y
> -# CONFIG_RAS_CEC is not set
> # CONFIG_USB4 is not set
>
> #
> @@ -6838,7 +6811,6 @@ CONFIG_PSTORE_DEFLATE_COMPRESS_DEFAULT=y
> CONFIG_PSTORE_COMPRESS_DEFAULT="deflate"
> # CONFIG_PSTORE_CONSOLE is not set
> # CONFIG_PSTORE_PMSG is not set
> -# CONFIG_PSTORE_FTRACE is not set
> # CONFIG_PSTORE_RAM is not set
> # CONFIG_PSTORE_BLK is not set
> # CONFIG_SYSV_FS is not set
> @@ -7369,7 +7341,6 @@ CONFIG_NEED_DMA_MAP_STATE=y
> CONFIG_ARCH_DMA_ADDR_T_64BIT=y
> CONFIG_SWIOTLB=y
> # CONFIG_DMA_API_DEBUG is not set
> -# CONFIG_DMA_MAP_BENCHMARK is not set
> CONFIG_SGL_ALLOC=y
> CONFIG_CHECK_SIGNATURE=y
> CONFIG_CPU_RMAP=y
> @@ -7443,10 +7414,7 @@ CONFIG_STACK_VALIDATION=y
> # Generic Kernel Debugging Instruments
> #
> # CONFIG_MAGIC_SYSRQ is not set
> -CONFIG_DEBUG_FS=y
> -CONFIG_DEBUG_FS_ALLOW_ALL=y
> -# CONFIG_DEBUG_FS_DISALLOW_MOUNT is not set
> -# CONFIG_DEBUG_FS_ALLOW_NONE is not set
> +# CONFIG_DEBUG_FS is not set
> CONFIG_HAVE_ARCH_KGDB=y
> # CONFIG_KGDB is not set
> CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y
> @@ -7472,7 +7440,6 @@ CONFIG_ARCH_HAS_DEBUG_WX=y
> CONFIG_DEBUG_WX=y
> CONFIG_GENERIC_PTDUMP=y
> CONFIG_PTDUMP_CORE=y
> -# CONFIG_PTDUMP_DEBUGFS is not set
> # CONFIG_DEBUG_OBJECTS is not set
> # CONFIG_SLUB_STATS is not set
> CONFIG_HAVE_DEBUG_KMEMLEAK=y
> @@ -7665,7 +7632,6 @@ CONFIG_IO_DELAY_0X80=y
> # CONFIG_IO_DELAY_0XED is not set
> # CONFIG_IO_DELAY_UDELAY is not set
> # CONFIG_IO_DELAY_NONE is not set
> -# CONFIG_DEBUG_BOOT_PARAMS is not set
> # CONFIG_CPA_DEBUG is not set
> # CONFIG_DEBUG_ENTRY is not set
> # CONFIG_DEBUG_NMI_SELFTEST is not set
> @@ -7688,6 +7654,5 @@ CONFIG_CC_HAS_SANCOV_TRACE_PC=y
> # CONFIG_RUNTIME_TESTING_MENU is not set
> CONFIG_ARCH_USE_MEMTEST=y
> # CONFIG_MEMTEST is not set
> -# CONFIG_HYPERV_TESTING is not set
> # end of Kernel Testing and Coverage
> # end of Kernel hacking
> --
> 2.35.3
prev parent reply other threads:[~2022-09-18 9:08 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-17 19:24 Peter Müller
2022-09-18 9:08 ` Michael Tremer [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=554CECE8-9BD4-4305-8105-9077BB5AA493@ipfire.org \
--to=michael.tremer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox