Agreed. Reviewed-by: Michael Tremer > On 17 Sep 2022, at 21:24, Peter Müller wrote: > > According to the kernel's documentation, > >> debugfs is a virtual file system that kernel developers use to put >> debugging files into. Enable this option to be able to read and >> write to these files. > > There is no legitimate reason why one has to do so on an IPFire machine. > Further, the vast debugging options (i.e. related to various drivers) > have never been enabled, limiting the use of this virtual file system > even further. > > This patch therefore proposes to disable it entirely, since its > potential security impact outweights its benefits. Due to operational > constraints, changes to ARM kernel configurations will be made if this > patch is approved for x86_64. > > Signed-off-by: Peter Müller > --- > config/kernel/kernel.config.x86_64-ipfire | 45 +++-------------------- > 1 file changed, 5 insertions(+), 40 deletions(-) > > diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire > index aa1e847dd..5dcdc9d7e 100644 > --- a/config/kernel/kernel.config.x86_64-ipfire > +++ b/config/kernel/kernel.config.x86_64-ipfire > @@ -78,7 +78,6 @@ CONFIG_GENERIC_IRQ_MATRIX_ALLOCATOR=y > CONFIG_GENERIC_IRQ_RESERVATION_MODE=y > CONFIG_IRQ_FORCED_THREADING=y > CONFIG_SPARSE_IRQ=y > -# CONFIG_GENERIC_IRQ_DEBUGFS is not set > # end of IRQ subsystem > > CONFIG_CLOCKSOURCE_WATCHDOG=y > @@ -158,7 +157,6 @@ CONFIG_RCU_NEED_SEGCBLIST=y > CONFIG_LOG_BUF_SHIFT=18 > CONFIG_LOG_CPU_MAX_BUF_SHIFT=12 > CONFIG_PRINTK_SAFE_LOG_BUF_SHIFT=13 > -# CONFIG_PRINTK_INDEX is not set > CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y > > # > @@ -330,7 +328,6 @@ CONFIG_X86_EXTENDED_PLATFORM=y > CONFIG_X86_INTEL_LPSS=y > CONFIG_X86_AMD_PLATFORM_DEVICE=y > CONFIG_IOSF_MBI=y > -# CONFIG_IOSF_MBI_DEBUG is not set > CONFIG_X86_SUPPORTS_MEMORY_FAILURE=y > CONFIG_SCHED_OMIT_FRAME_POINTER=y > CONFIG_HYPERVISOR_GUEST=y > @@ -348,7 +345,6 @@ CONFIG_XEN_PVHVM=y > CONFIG_XEN_PVHVM_SMP=y > CONFIG_XEN_PVHVM_GUEST=y > CONFIG_XEN_SAVE_RESTORE=y > -CONFIG_XEN_DEBUG_FS=y > CONFIG_XEN_PVH=y > CONFIG_XEN_DOM0=y > CONFIG_KVM_GUEST=y > @@ -398,7 +394,6 @@ CONFIG_X86_MCELOG_LEGACY=y > CONFIG_X86_MCE_INTEL=y > CONFIG_X86_MCE_AMD=y > CONFIG_X86_MCE_THRESHOLD=y > -# CONFIG_X86_MCE_INJECT is not set > > # > # Performance monitoring > @@ -421,7 +416,6 @@ CONFIG_X86_MSR=y > CONFIG_X86_CPUID=y > # CONFIG_X86_5LEVEL is not set > CONFIG_X86_DIRECT_GBPAGES=y > -# CONFIG_X86_CPA_STATISTICS is not set > # CONFIG_AMD_MEM_ENCRYPT is not set > # CONFIG_NUMA is not set > CONFIG_ARCH_SPARSEMEM_ENABLE=y > @@ -543,7 +537,6 @@ CONFIG_ACPI_CONTAINER=y > CONFIG_ACPI_HOTPLUG_IOAPIC=y > CONFIG_ACPI_SBS=m > CONFIG_ACPI_HED=y > -# CONFIG_ACPI_CUSTOM_METHOD is not set > # CONFIG_ACPI_BGRT is not set > # CONFIG_ACPI_REDUCED_HARDWARE_ONLY is not set > CONFIG_ACPI_NFIT=m > @@ -554,7 +547,6 @@ CONFIG_ACPI_APEI=y > CONFIG_ACPI_APEI_GHES=y > CONFIG_ACPI_APEI_PCIEAER=y > CONFIG_ACPI_APEI_MEMORY_FAILURE=y > -# CONFIG_ACPI_APEI_EINJ is not set > # CONFIG_ACPI_APEI_ERST_DEBUG is not set > # CONFIG_ACPI_DPTF is not set > CONFIG_ACPI_WATCHDOG=y > @@ -772,7 +764,6 @@ CONFIG_ARCH_HAS_STRICT_MODULE_RWX=y > CONFIG_STRICT_MODULE_RWX=y > CONFIG_HAVE_ARCH_PREL32_RELOCATIONS=y > CONFIG_ARCH_USE_MEMREMAP_PROT=y > -CONFIG_LOCK_EVENT_COUNTS=y > CONFIG_ARCH_HAS_MEM_ENCRYPT=y > CONFIG_HAVE_STATIC_CALL=y > CONFIG_HAVE_STATIC_CALL_INLINE=y > @@ -785,7 +776,6 @@ CONFIG_ARCH_HAS_PARANOID_L1D_FLUSH=y > # > # GCOV-based kernel profiling > # > -# CONFIG_GCOV_KERNEL is not set > CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y > # end of GCOV-based kernel profiling > > @@ -837,8 +827,6 @@ CONFIG_BLK_DEV_THROTTLING=y > # CONFIG_BLK_CGROUP_FC_APPID is not set > # CONFIG_BLK_CGROUP_IOCOST is not set > # CONFIG_BLK_CGROUP_IOPRIO is not set > -CONFIG_BLK_DEBUG_FS=y > -CONFIG_BLK_DEBUG_FS_ZONED=y > # CONFIG_BLK_SED_OPAL is not set > CONFIG_BLK_INLINE_ENCRYPTION=y > CONFIG_BLK_INLINE_ENCRYPTION_FALLBACK=y > @@ -971,7 +959,10 @@ CONFIG_VMAP_PFN=y > CONFIG_ARCH_USES_HIGH_VMA_FLAGS=y > CONFIG_ARCH_HAS_PKEYS=y > # CONFIG_PERCPU_STATS is not set > -# CONFIG_GUP_TEST is not set > + > +# > +# GUP_TEST needs to have DEBUG_FS enabled > +# > # CONFIG_READ_ONLY_THP_FOR_FS is not set > CONFIG_ARCH_HAS_PTE_SPECIAL=y > CONFIG_MAPPING_DIRTY_HELPERS=y > @@ -1464,7 +1455,6 @@ CONFIG_ATM_CLIP=m > CONFIG_ATM_BR2684=m > # CONFIG_ATM_BR2684_IPFILTER is not set > CONFIG_L2TP=m > -# CONFIG_L2TP_DEBUGFS is not set > CONFIG_L2TP_V3=y > CONFIG_L2TP_IP=m > CONFIG_L2TP_ETH=m > @@ -1677,7 +1667,6 @@ CONFIG_CFG80211_EXTRA_REGDB_KEYDIR="" > CONFIG_CFG80211_REG_CELLULAR_HINTS=y > CONFIG_CFG80211_REG_RELAX_NO_IR=y > CONFIG_CFG80211_DEFAULT_PS=y > -# CONFIG_CFG80211_DEBUGFS is not set > CONFIG_CFG80211_CRDA_SUPPORT=y > CONFIG_CFG80211_WEXT=y > CONFIG_CFG80211_WEXT_EXPORT=y > @@ -1693,7 +1682,6 @@ CONFIG_MAC80211_RC_DEFAULT_MINSTREL=y > CONFIG_MAC80211_RC_DEFAULT="minstrel_ht" > CONFIG_MAC80211_MESH=y > CONFIG_MAC80211_LEDS=y > -# CONFIG_MAC80211_DEBUGFS is not set > # CONFIG_MAC80211_MESSAGE_TRACING is not set > # CONFIG_MAC80211_DEBUG_MENU is not set > CONFIG_MAC80211_STA_HASH_MAX_SIZE=0 > @@ -1867,7 +1855,6 @@ CONFIG_DMA_SHARED_BUFFER=y > # Bus devices > # > CONFIG_MHI_BUS=m > -# CONFIG_MHI_BUS_DEBUG is not set > # CONFIG_MHI_BUS_PCI_GENERIC is not set > # end of Bus devices > > @@ -2168,7 +2155,6 @@ CONFIG_LIBFCOE=m > CONFIG_FCOE=m > CONFIG_FCOE_FNIC=m > CONFIG_SCSI_SNIC=m > -CONFIG_SCSI_SNIC_DEBUG_FS=y > CONFIG_SCSI_DMX3191D=m > CONFIG_SCSI_FDOMAIN=m > CONFIG_SCSI_FDOMAIN_PCI=m > @@ -2195,7 +2181,6 @@ CONFIG_SCSI_QLA_ISCSI=m > CONFIG_QEDI=m > CONFIG_QEDF=m > CONFIG_SCSI_LPFC=m > -# CONFIG_SCSI_LPFC_DEBUG_FS is not set > CONFIG_SCSI_DC395x=m > CONFIG_SCSI_AM53C974=m > CONFIG_SCSI_WD719X=m > @@ -2626,10 +2611,8 @@ CONFIG_NET_VENDOR_LITEX=y > CONFIG_NET_VENDOR_MARVELL=y > CONFIG_MVMDIO=m > CONFIG_SKGE=m > -# CONFIG_SKGE_DEBUG is not set > CONFIG_SKGE_GENESIS=y > CONFIG_SKY2=m > -# CONFIG_SKY2_DEBUG is not set > CONFIG_PRESTERA=m > CONFIG_PRESTERA_PCI=m > CONFIG_NET_VENDOR_MELLANOX=y > @@ -2955,7 +2938,6 @@ CONFIG_ATH9K_BTCOEX_SUPPORT=y > CONFIG_ATH9K=m > CONFIG_ATH9K_PCI=y > CONFIG_ATH9K_AHB=y > -# CONFIG_ATH9K_DEBUGFS is not set > CONFIG_ATH9K_DFS_CERTIFIED=y > # CONFIG_ATH9K_DYNACK is not set > # CONFIG_ATH9K_WOW is not set > @@ -2964,7 +2946,6 @@ CONFIG_ATH9K_RFKILL=y > CONFIG_ATH9K_PCOEM=y > CONFIG_ATH9K_PCI_NO_EEPROM=m > CONFIG_ATH9K_HTC=m > -# CONFIG_ATH9K_HTC_DEBUGFS is not set > CONFIG_ATH9K_HWRNG=y > CONFIG_CARL9170=m > CONFIG_CARL9170_LEDS=y > @@ -2975,14 +2956,12 @@ CONFIG_AR5523=m > CONFIG_WIL6210=m > CONFIG_WIL6210_ISR_COR=y > CONFIG_WIL6210_TRACING=y > -# CONFIG_WIL6210_DEBUGFS is not set > CONFIG_ATH10K=m > CONFIG_ATH10K_CE=y > CONFIG_ATH10K_PCI=m > CONFIG_ATH10K_SDIO=m > CONFIG_ATH10K_USB=m > CONFIG_ATH10K_DEBUG=y > -# CONFIG_ATH10K_DEBUGFS is not set > # CONFIG_ATH10K_TRACING is not set > CONFIG_ATH10K_DFS_CERTIFIED=y > CONFIG_WCN36XX=m > @@ -3241,7 +3220,6 @@ CONFIG_XEN_NETDEV_BACKEND=m > CONFIG_VMXNET3=m > CONFIG_FUJITSU_ES=m > CONFIG_HYPERV_NET=m > -# CONFIG_NETDEVSIM is not set > CONFIG_NET_FAILOVER=m > # CONFIG_ISDN is not set > > @@ -5116,7 +5094,6 @@ CONFIG_DRM_AMDGPU=m > CONFIG_DRM_AMD_DC=y > CONFIG_DRM_AMD_DC_DCN=y > # CONFIG_DRM_AMD_DC_HDCP is not set > -# CONFIG_DRM_AMD_SECURE_DISPLAY is not set > # end of Display Engine Configuration > > # CONFIG_HSA_AMD is not set > @@ -5371,7 +5348,6 @@ CONFIG_SND_DEBUG=y > # CONFIG_SND_DEBUG_VERBOSE is not set > CONFIG_SND_PCM_XRUN_DEBUG=y > # CONFIG_SND_CTL_VALIDATION is not set > -# CONFIG_SND_JACK_INJECTION_DEBUG is not set > CONFIG_SND_VMASTER=y > CONFIG_SND_DMA_SGBUF=y > CONFIG_SND_CTL_LED=m > @@ -6211,7 +6187,6 @@ CONFIG_DMA_ENGINE_RAID=y > # DMABUF options > # > CONFIG_SYNC_FILE=y > -CONFIG_SW_SYNC=y > # CONFIG_UDMABUF is not set > # CONFIG_DMABUF_MOVE_NOTIFY is not set > # CONFIG_DMABUF_DEBUG is not set > @@ -6487,7 +6462,6 @@ CONFIG_IOMMU_SUPPORT=y > CONFIG_IOMMU_IO_PGTABLE=y > # end of Generic IOMMU Pagetable Support > > -# CONFIG_IOMMU_DEBUGFS is not set > CONFIG_IOMMU_DEFAULT_DMA_STRICT=y > # CONFIG_IOMMU_DEFAULT_DMA_LAZY is not set > # CONFIG_IOMMU_DEFAULT_PASSTHROUGH is not set > @@ -6633,7 +6607,6 @@ CONFIG_GENERIC_PHY=y > # end of Performance monitor support > > CONFIG_RAS=y > -# CONFIG_RAS_CEC is not set > # CONFIG_USB4 is not set > > # > @@ -6838,7 +6811,6 @@ CONFIG_PSTORE_DEFLATE_COMPRESS_DEFAULT=y > CONFIG_PSTORE_COMPRESS_DEFAULT="deflate" > # CONFIG_PSTORE_CONSOLE is not set > # CONFIG_PSTORE_PMSG is not set > -# CONFIG_PSTORE_FTRACE is not set > # CONFIG_PSTORE_RAM is not set > # CONFIG_PSTORE_BLK is not set > # CONFIG_SYSV_FS is not set > @@ -7369,7 +7341,6 @@ CONFIG_NEED_DMA_MAP_STATE=y > CONFIG_ARCH_DMA_ADDR_T_64BIT=y > CONFIG_SWIOTLB=y > # CONFIG_DMA_API_DEBUG is not set > -# CONFIG_DMA_MAP_BENCHMARK is not set > CONFIG_SGL_ALLOC=y > CONFIG_CHECK_SIGNATURE=y > CONFIG_CPU_RMAP=y > @@ -7443,10 +7414,7 @@ CONFIG_STACK_VALIDATION=y > # Generic Kernel Debugging Instruments > # > # CONFIG_MAGIC_SYSRQ is not set > -CONFIG_DEBUG_FS=y > -CONFIG_DEBUG_FS_ALLOW_ALL=y > -# CONFIG_DEBUG_FS_DISALLOW_MOUNT is not set > -# CONFIG_DEBUG_FS_ALLOW_NONE is not set > +# CONFIG_DEBUG_FS is not set > CONFIG_HAVE_ARCH_KGDB=y > # CONFIG_KGDB is not set > CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y > @@ -7472,7 +7440,6 @@ CONFIG_ARCH_HAS_DEBUG_WX=y > CONFIG_DEBUG_WX=y > CONFIG_GENERIC_PTDUMP=y > CONFIG_PTDUMP_CORE=y > -# CONFIG_PTDUMP_DEBUGFS is not set > # CONFIG_DEBUG_OBJECTS is not set > # CONFIG_SLUB_STATS is not set > CONFIG_HAVE_DEBUG_KMEMLEAK=y > @@ -7665,7 +7632,6 @@ CONFIG_IO_DELAY_0X80=y > # CONFIG_IO_DELAY_0XED is not set > # CONFIG_IO_DELAY_UDELAY is not set > # CONFIG_IO_DELAY_NONE is not set > -# CONFIG_DEBUG_BOOT_PARAMS is not set > # CONFIG_CPA_DEBUG is not set > # CONFIG_DEBUG_ENTRY is not set > # CONFIG_DEBUG_NMI_SELFTEST is not set > @@ -7688,6 +7654,5 @@ CONFIG_CC_HAS_SANCOV_TRACE_PC=y > # CONFIG_RUNTIME_TESTING_MENU is not set > CONFIG_ARCH_USE_MEMTEST=y > # CONFIG_MEMTEST is not set > -# CONFIG_HYPERV_TESTING is not set > # end of Kernel Testing and Coverage > # end of Kernel hacking > -- > 2.35.3