kernel: Disable CONFIG_DEBUG_FS

According to the kernel's documentation, > debugfs is a virtual file system that kernel developers use to put > debugging files into. Enable this option to be able to read and > write to these files. There is no legitimate reason why one has to do so on an IPFire machine. Further, the vast debugging options (i.e. related to various drivers) have never been enabled, limiting the use of this virtual file system even further. This patch therefore proposes to disable it entirely, since its potential security impact outweights its benefits. Due to operational constraints, changes to ARM kernel configurations will be made if this patch is approved for x86_64. Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
2026-04-09 18:45:54 +02:00 · 2022-09-17 19:24:46 +00:00
parent ae49226866
commit 12d339e725
1 changed files with 5 additions and 40 deletions
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -78,7 +78,6 @@ CONFIG_GENERIC_IRQ_MATRIX_ALLOCATOR=y
 CONFIG_GENERIC_IRQ_RESERVATION_MODE=y
 CONFIG_IRQ_FORCED_THREADING=y
 CONFIG_SPARSE_IRQ=y
-# CONFIG_GENERIC_IRQ_DEBUGFS is not set
 # end of IRQ subsystem

 CONFIG_CLOCKSOURCE_WATCHDOG=y
@@ -158,7 +157,6 @@ CONFIG_RCU_NEED_SEGCBLIST=y
 CONFIG_LOG_BUF_SHIFT=18
 CONFIG_LOG_CPU_MAX_BUF_SHIFT=12
 CONFIG_PRINTK_SAFE_LOG_BUF_SHIFT=13
-# CONFIG_PRINTK_INDEX is not set
 CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y

 #
@@ -330,7 +328,6 @@ CONFIG_X86_EXTENDED_PLATFORM=y
 CONFIG_X86_INTEL_LPSS=y
 CONFIG_X86_AMD_PLATFORM_DEVICE=y
 CONFIG_IOSF_MBI=y
-# CONFIG_IOSF_MBI_DEBUG is not set
 CONFIG_X86_SUPPORTS_MEMORY_FAILURE=y
 CONFIG_SCHED_OMIT_FRAME_POINTER=y
 CONFIG_HYPERVISOR_GUEST=y
@@ -348,7 +345,6 @@ CONFIG_XEN_PVHVM=y
 CONFIG_XEN_PVHVM_SMP=y
 CONFIG_XEN_PVHVM_GUEST=y
 CONFIG_XEN_SAVE_RESTORE=y
-CONFIG_XEN_DEBUG_FS=y
 CONFIG_XEN_PVH=y
 CONFIG_XEN_DOM0=y
 CONFIG_KVM_GUEST=y
@@ -398,7 +394,6 @@ CONFIG_X86_MCELOG_LEGACY=y
 CONFIG_X86_MCE_INTEL=y
 CONFIG_X86_MCE_AMD=y
 CONFIG_X86_MCE_THRESHOLD=y
-# CONFIG_X86_MCE_INJECT is not set

 #
 # Performance monitoring
@@ -421,7 +416,6 @@ CONFIG_X86_MSR=y
 CONFIG_X86_CPUID=y
 # CONFIG_X86_5LEVEL is not set
 CONFIG_X86_DIRECT_GBPAGES=y
-# CONFIG_X86_CPA_STATISTICS is not set
 # CONFIG_AMD_MEM_ENCRYPT is not set
 # CONFIG_NUMA is not set
 CONFIG_ARCH_SPARSEMEM_ENABLE=y
@@ -543,7 +537,6 @@ CONFIG_ACPI_CONTAINER=y
 CONFIG_ACPI_HOTPLUG_IOAPIC=y
 CONFIG_ACPI_SBS=m
 CONFIG_ACPI_HED=y
-# CONFIG_ACPI_CUSTOM_METHOD is not set
 # CONFIG_ACPI_BGRT is not set
 # CONFIG_ACPI_REDUCED_HARDWARE_ONLY is not set
 CONFIG_ACPI_NFIT=m
@@ -554,7 +547,6 @@ CONFIG_ACPI_APEI=y
 CONFIG_ACPI_APEI_GHES=y
 CONFIG_ACPI_APEI_PCIEAER=y
 CONFIG_ACPI_APEI_MEMORY_FAILURE=y
-# CONFIG_ACPI_APEI_EINJ is not set
 # CONFIG_ACPI_APEI_ERST_DEBUG is not set
 # CONFIG_ACPI_DPTF is not set
 CONFIG_ACPI_WATCHDOG=y
@@ -772,7 +764,6 @@ CONFIG_ARCH_HAS_STRICT_MODULE_RWX=y
 CONFIG_STRICT_MODULE_RWX=y
 CONFIG_HAVE_ARCH_PREL32_RELOCATIONS=y
 CONFIG_ARCH_USE_MEMREMAP_PROT=y
-CONFIG_LOCK_EVENT_COUNTS=y
 CONFIG_ARCH_HAS_MEM_ENCRYPT=y
 CONFIG_HAVE_STATIC_CALL=y
 CONFIG_HAVE_STATIC_CALL_INLINE=y
@@ -785,7 +776,6 @@ CONFIG_ARCH_HAS_PARANOID_L1D_FLUSH=y
 #
 # GCOV-based kernel profiling
 #
-# CONFIG_GCOV_KERNEL is not set
 CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y
 # end of GCOV-based kernel profiling

@@ -837,8 +827,6 @@ CONFIG_BLK_DEV_THROTTLING=y
 # CONFIG_BLK_CGROUP_FC_APPID is not set
 # CONFIG_BLK_CGROUP_IOCOST is not set
 # CONFIG_BLK_CGROUP_IOPRIO is not set
-CONFIG_BLK_DEBUG_FS=y
-CONFIG_BLK_DEBUG_FS_ZONED=y
 # CONFIG_BLK_SED_OPAL is not set
 CONFIG_BLK_INLINE_ENCRYPTION=y
 CONFIG_BLK_INLINE_ENCRYPTION_FALLBACK=y
@@ -971,7 +959,10 @@ CONFIG_VMAP_PFN=y
 CONFIG_ARCH_USES_HIGH_VMA_FLAGS=y
 CONFIG_ARCH_HAS_PKEYS=y
 # CONFIG_PERCPU_STATS is not set
-# CONFIG_GUP_TEST is not set
+
+#
+# GUP_TEST needs to have DEBUG_FS enabled
+#
 # CONFIG_READ_ONLY_THP_FOR_FS is not set
 CONFIG_ARCH_HAS_PTE_SPECIAL=y
 CONFIG_MAPPING_DIRTY_HELPERS=y
@@ -1464,7 +1455,6 @@ CONFIG_ATM_CLIP=m
 CONFIG_ATM_BR2684=m
 # CONFIG_ATM_BR2684_IPFILTER is not set
 CONFIG_L2TP=m
-# CONFIG_L2TP_DEBUGFS is not set
 CONFIG_L2TP_V3=y
 CONFIG_L2TP_IP=m
 CONFIG_L2TP_ETH=m
@@ -1677,7 +1667,6 @@ CONFIG_CFG80211_EXTRA_REGDB_KEYDIR=""
 CONFIG_CFG80211_REG_CELLULAR_HINTS=y
 CONFIG_CFG80211_REG_RELAX_NO_IR=y
 CONFIG_CFG80211_DEFAULT_PS=y
-# CONFIG_CFG80211_DEBUGFS is not set
 CONFIG_CFG80211_CRDA_SUPPORT=y
 CONFIG_CFG80211_WEXT=y
 CONFIG_CFG80211_WEXT_EXPORT=y
@@ -1693,7 +1682,6 @@ CONFIG_MAC80211_RC_DEFAULT_MINSTREL=y
 CONFIG_MAC80211_RC_DEFAULT="minstrel_ht"
 CONFIG_MAC80211_MESH=y
 CONFIG_MAC80211_LEDS=y
-# CONFIG_MAC80211_DEBUGFS is not set
 # CONFIG_MAC80211_MESSAGE_TRACING is not set
 # CONFIG_MAC80211_DEBUG_MENU is not set
 CONFIG_MAC80211_STA_HASH_MAX_SIZE=0
@@ -1867,7 +1855,6 @@ CONFIG_DMA_SHARED_BUFFER=y
 # Bus devices
 #
 CONFIG_MHI_BUS=m
-# CONFIG_MHI_BUS_DEBUG is not set
 # CONFIG_MHI_BUS_PCI_GENERIC is not set
 # end of Bus devices

@@ -2168,7 +2155,6 @@ CONFIG_LIBFCOE=m
 CONFIG_FCOE=m
 CONFIG_FCOE_FNIC=m
 CONFIG_SCSI_SNIC=m
-CONFIG_SCSI_SNIC_DEBUG_FS=y
 CONFIG_SCSI_DMX3191D=m
 CONFIG_SCSI_FDOMAIN=m
 CONFIG_SCSI_FDOMAIN_PCI=m
@@ -2195,7 +2181,6 @@ CONFIG_SCSI_QLA_ISCSI=m
 CONFIG_QEDI=m
 CONFIG_QEDF=m
 CONFIG_SCSI_LPFC=m
-# CONFIG_SCSI_LPFC_DEBUG_FS is not set
 CONFIG_SCSI_DC395x=m
 CONFIG_SCSI_AM53C974=m
 CONFIG_SCSI_WD719X=m
@@ -2626,10 +2611,8 @@ CONFIG_NET_VENDOR_LITEX=y
 CONFIG_NET_VENDOR_MARVELL=y
 CONFIG_MVMDIO=m
 CONFIG_SKGE=m
-# CONFIG_SKGE_DEBUG is not set
 CONFIG_SKGE_GENESIS=y
 CONFIG_SKY2=m
-# CONFIG_SKY2_DEBUG is not set
 CONFIG_PRESTERA=m
 CONFIG_PRESTERA_PCI=m
 CONFIG_NET_VENDOR_MELLANOX=y
@@ -2955,7 +2938,6 @@ CONFIG_ATH9K_BTCOEX_SUPPORT=y
 CONFIG_ATH9K=m
 CONFIG_ATH9K_PCI=y
 CONFIG_ATH9K_AHB=y
-# CONFIG_ATH9K_DEBUGFS is not set
 CONFIG_ATH9K_DFS_CERTIFIED=y
 # CONFIG_ATH9K_DYNACK is not set
 # CONFIG_ATH9K_WOW is not set
@@ -2964,7 +2946,6 @@ CONFIG_ATH9K_RFKILL=y
 CONFIG_ATH9K_PCOEM=y
 CONFIG_ATH9K_PCI_NO_EEPROM=m
 CONFIG_ATH9K_HTC=m
-# CONFIG_ATH9K_HTC_DEBUGFS is not set
 CONFIG_ATH9K_HWRNG=y
 CONFIG_CARL9170=m
 CONFIG_CARL9170_LEDS=y
@@ -2975,14 +2956,12 @@ CONFIG_AR5523=m
 CONFIG_WIL6210=m
 CONFIG_WIL6210_ISR_COR=y
 CONFIG_WIL6210_TRACING=y
-# CONFIG_WIL6210_DEBUGFS is not set
 CONFIG_ATH10K=m
 CONFIG_ATH10K_CE=y
 CONFIG_ATH10K_PCI=m
 CONFIG_ATH10K_SDIO=m
 CONFIG_ATH10K_USB=m
 CONFIG_ATH10K_DEBUG=y
-# CONFIG_ATH10K_DEBUGFS is not set
 # CONFIG_ATH10K_TRACING is not set
 CONFIG_ATH10K_DFS_CERTIFIED=y
 CONFIG_WCN36XX=m
@@ -3241,7 +3220,6 @@ CONFIG_XEN_NETDEV_BACKEND=m
 CONFIG_VMXNET3=m
 CONFIG_FUJITSU_ES=m
 CONFIG_HYPERV_NET=m
-# CONFIG_NETDEVSIM is not set
 CONFIG_NET_FAILOVER=m
 # CONFIG_ISDN is not set

@@ -5116,7 +5094,6 @@ CONFIG_DRM_AMDGPU=m
 CONFIG_DRM_AMD_DC=y
 CONFIG_DRM_AMD_DC_DCN=y
 # CONFIG_DRM_AMD_DC_HDCP is not set
-# CONFIG_DRM_AMD_SECURE_DISPLAY is not set
 # end of Display Engine Configuration

 # CONFIG_HSA_AMD is not set
@@ -5371,7 +5348,6 @@ CONFIG_SND_DEBUG=y
 # CONFIG_SND_DEBUG_VERBOSE is not set
 CONFIG_SND_PCM_XRUN_DEBUG=y
 # CONFIG_SND_CTL_VALIDATION is not set
-# CONFIG_SND_JACK_INJECTION_DEBUG is not set
 CONFIG_SND_VMASTER=y
 CONFIG_SND_DMA_SGBUF=y
 CONFIG_SND_CTL_LED=m
@@ -6211,7 +6187,6 @@ CONFIG_DMA_ENGINE_RAID=y
 # DMABUF options
 #
 CONFIG_SYNC_FILE=y
-CONFIG_SW_SYNC=y
 # CONFIG_UDMABUF is not set
 # CONFIG_DMABUF_MOVE_NOTIFY is not set
 # CONFIG_DMABUF_DEBUG is not set
@@ -6487,7 +6462,6 @@ CONFIG_IOMMU_SUPPORT=y
 CONFIG_IOMMU_IO_PGTABLE=y
 # end of Generic IOMMU Pagetable Support

-# CONFIG_IOMMU_DEBUGFS is not set
 CONFIG_IOMMU_DEFAULT_DMA_STRICT=y
 # CONFIG_IOMMU_DEFAULT_DMA_LAZY is not set
 # CONFIG_IOMMU_DEFAULT_PASSTHROUGH is not set
@@ -6633,7 +6607,6 @@ CONFIG_GENERIC_PHY=y
 # end of Performance monitor support

 CONFIG_RAS=y
-# CONFIG_RAS_CEC is not set
 # CONFIG_USB4 is not set

 #
@@ -6838,7 +6811,6 @@ CONFIG_PSTORE_DEFLATE_COMPRESS_DEFAULT=y
 CONFIG_PSTORE_COMPRESS_DEFAULT="deflate"
 # CONFIG_PSTORE_CONSOLE is not set
 # CONFIG_PSTORE_PMSG is not set
-# CONFIG_PSTORE_FTRACE is not set
 # CONFIG_PSTORE_RAM is not set
 # CONFIG_PSTORE_BLK is not set
 # CONFIG_SYSV_FS is not set
@@ -7369,7 +7341,6 @@ CONFIG_NEED_DMA_MAP_STATE=y
 CONFIG_ARCH_DMA_ADDR_T_64BIT=y
 CONFIG_SWIOTLB=y
 # CONFIG_DMA_API_DEBUG is not set
-# CONFIG_DMA_MAP_BENCHMARK is not set
 CONFIG_SGL_ALLOC=y
 CONFIG_CHECK_SIGNATURE=y
 CONFIG_CPU_RMAP=y
@@ -7443,10 +7414,7 @@ CONFIG_STACK_VALIDATION=y
 # Generic Kernel Debugging Instruments
 #
 # CONFIG_MAGIC_SYSRQ is not set
-CONFIG_DEBUG_FS=y
-CONFIG_DEBUG_FS_ALLOW_ALL=y
-# CONFIG_DEBUG_FS_DISALLOW_MOUNT is not set
-# CONFIG_DEBUG_FS_ALLOW_NONE is not set
+# CONFIG_DEBUG_FS is not set
 CONFIG_HAVE_ARCH_KGDB=y
 # CONFIG_KGDB is not set
 CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y
@@ -7472,7 +7440,6 @@ CONFIG_ARCH_HAS_DEBUG_WX=y
 CONFIG_DEBUG_WX=y
 CONFIG_GENERIC_PTDUMP=y
 CONFIG_PTDUMP_CORE=y
-# CONFIG_PTDUMP_DEBUGFS is not set
 # CONFIG_DEBUG_OBJECTS is not set
 # CONFIG_SLUB_STATS is not set
 CONFIG_HAVE_DEBUG_KMEMLEAK=y
@@ -7665,7 +7632,6 @@ CONFIG_IO_DELAY_0X80=y
 # CONFIG_IO_DELAY_0XED is not set
 # CONFIG_IO_DELAY_UDELAY is not set
 # CONFIG_IO_DELAY_NONE is not set
-# CONFIG_DEBUG_BOOT_PARAMS is not set
 # CONFIG_CPA_DEBUG is not set
 # CONFIG_DEBUG_ENTRY is not set
 # CONFIG_DEBUG_NMI_SELFTEST is not set
@@ -7688,6 +7654,5 @@ CONFIG_CC_HAS_SANCOV_TRACE_PC=y
 # CONFIG_RUNTIME_TESTING_MENU is not set
 CONFIG_ARCH_USE_MEMTEST=y
 # CONFIG_MEMTEST is not set
-# CONFIG_HYPERV_TESTING is not set
 # end of Kernel Testing and Coverage
 # end of Kernel hacking