From 447d0bf51ed17f16880fd5041b3a88dcdec8a648 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Peter=20M=C3=BCller?= Date: Fri, 13 Oct 2023 09:03:00 +0000 Subject: [PATCH] linux: Disable io_uring MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit This subsystem has been a frequent source of security vulnerabilities affecting the Linux kernel; as a result, Google announced on June 14, 2023, that they would disable it in their environment as widely as possible. IPFire does not depend on the availability of io_uring. Therefore, disable this subsystem as well in order to preemptively cut attack surface. See also: https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html Signed-off-by: Peter Müller Signed-off-by: Michael Tremer --- config/kernel/kernel.config.aarch64-ipfire | 3 +-- config/kernel/kernel.config.x86_64-ipfire | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index c69c13e71b..4e39b8d860 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -229,7 +229,7 @@ CONFIG_TIMERFD=y CONFIG_EVENTFD=y CONFIG_SHMEM=y CONFIG_AIO=y -CONFIG_IO_URING=y +# CONFIG_IO_URING is not set CONFIG_ADVISE_SYSCALLS=y CONFIG_MEMBARRIER=y CONFIG_KALLSYMS=y @@ -7821,7 +7821,6 @@ CONFIG_NLS_MAC_TURKISH=m CONFIG_NLS_UTF8=m # CONFIG_DLM is not set # CONFIG_UNICODE is not set -CONFIG_IO_WQ=y # end of File systems # diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index da8dcad00c..3195b0c42e 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -249,7 +249,7 @@ CONFIG_TIMERFD=y CONFIG_EVENTFD=y CONFIG_SHMEM=y CONFIG_AIO=y -CONFIG_IO_URING=y +# CONFIG_IO_URING is not set CONFIG_ADVISE_SYSCALLS=y CONFIG_MEMBARRIER=y CONFIG_KALLSYMS=y @@ -7041,7 +7041,6 @@ CONFIG_DLM=m # CONFIG_DLM_DEPRECATED_API is not set # CONFIG_DLM_DEBUG is not set # CONFIG_UNICODE is not set -CONFIG_IO_WQ=y # end of File systems # -- 2.39.2