This subsystem has been a frequent source of security vulnerabilities affecting the Linux kernel; as a result, Google announced on June 14, 2023, that they would disable it in their environment as widely as possible.
IPFire does not depend on the availability of io_uring. Therefore, disable this subsystem as well in order to preemptively cut attack surface.
See also: https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.ht...
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/kernel/kernel.config.aarch64-ipfire | 3 +-- config/kernel/kernel.config.x86_64-ipfire | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index 96944c3d5..0d7c1ba8a 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -229,7 +229,7 @@ CONFIG_TIMERFD=y CONFIG_EVENTFD=y CONFIG_SHMEM=y CONFIG_AIO=y -CONFIG_IO_URING=y +# CONFIG_IO_URING is not set CONFIG_ADVISE_SYSCALLS=y CONFIG_MEMBARRIER=y CONFIG_KALLSYMS=y @@ -7824,7 +7824,6 @@ CONFIG_NLS_MAC_TURKISH=m CONFIG_NLS_UTF8=m # CONFIG_DLM is not set # CONFIG_UNICODE is not set -CONFIG_IO_WQ=y # end of File systems
# diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index 129e0d209..48fdbd8ff 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -249,7 +249,7 @@ CONFIG_TIMERFD=y CONFIG_EVENTFD=y CONFIG_SHMEM=y CONFIG_AIO=y -CONFIG_IO_URING=y +# CONFIG_IO_URING is not set CONFIG_ADVISE_SYSCALLS=y CONFIG_MEMBARRIER=y CONFIG_KALLSYMS=y @@ -7047,7 +7047,6 @@ CONFIG_DLM=m # CONFIG_DLM_DEPRECATED_API is not set # CONFIG_DLM_DEBUG is not set # CONFIG_UNICODE is not set -CONFIG_IO_WQ=y # end of File systems
#