From 61392f73058ad37901e57c2d4f074b3a08828183 Mon Sep 17 00:00:00 2001 From: Ben Cressey Date: Fri, 24 Jun 2022 17:34:07 +0000 Subject: [PATCH 1/2] kernel: disable unused filesystems It's not possible to rule out the existence of workloads using these filesystems, but it is possible to make a series of educated guesses. For Kubernetes variants, a CSI driver that supports the filesystem would be required to use it for container storage. This is especially true for network-based fileystems, because Bottlerocket does not ship any of the userspace tools required. Disabled network filesystems: * afs - network-based, no CSI driver * gfs2 - network-based, no CSI driver * nfs v2 - obsoleted by later versions of NFS Another use case would be containers that run with CAP_SYS_ADMIN and mount full disk or filesystem images. Disabling these filesystems is more of a judgment call, and comes down to whether the format is obsolete, whether it's in common use, whether it's useful on current platforms, and if it's consistently enabled across architectures. Obsolete local filesystems: * cramfs - read-only format, obsoleted by squashfs * ecryptfs - obsoleted by native filesystem encryption * ext2 - obsolete, handled by the ext4 driver * ext3 - obsolete, handled by the ext4 driver * romfs - obsoleted by initramfs Uncommon local filesystems: * hfs, hfsplus - not enabled on aarch64 * jfs - not enabled on aarch64 * jffs2 - not supported by current platforms * nilfs2 - not enabled on aarch64 * ntfs - not enabled on 5.10 kernels * ufs - not enabled on aarch64 * zonefs - not supported by current platforms Note that a potential use case for hfsplus could be to generate DMG files for OS X software installs. However, the more common approach appears to be using `genisoimage` on Linux. Signed-off-by: Ben Cressey --- packages/kernel-5.10/config-bottlerocket | 19 +++++++++++++++++++ packages/kernel-5.4/config-bottlerocket | 19 +++++++++++++++++++ 2 files changed, 38 insertions(+) diff --git a/packages/kernel-5.10/config-bottlerocket b/packages/kernel-5.10/config-bottlerocket index f2fd5581f8c..08884d8f2a7 100644 --- a/packages/kernel-5.10/config-bottlerocket +++ b/packages/kernel-5.10/config-bottlerocket @@ -143,3 +143,22 @@ CONFIG_BOOT_CONFIG=y # Enables support for checkpoint/restore CONFIG_CHECKPOINT_RESTORE=y + +# Disable unused filesystems. +CONFIG_AFS_FS=n +CONFIG_CRAMFS=n +CONFIG_ECRYPT_FS=n +CONFIG_EXT2_FS=n +CONFIG_EXT3_FS=n +CONFIG_EXT4_USE_FOR_EXT2=y +CONFIG_GFS2_FS=n +CONFIG_HFS_FS=n +CONFIG_HFSPLUS_FS=n +CONFIG_JFS_FS=n +CONFIG_JFFS2_FS=n +CONFIG_NFS_V2=n +CONFIG_NILFS2_FS=n +CONFIG_NTFS_FS=n +CONFIG_ROMFS_FS=n +CONFIG_UFS_FS=n +CONFIG_ZONEFS_FS=n diff --git a/packages/kernel-5.4/config-bottlerocket b/packages/kernel-5.4/config-bottlerocket index 34a422d93f8..d21f44aac0c 100644 --- a/packages/kernel-5.4/config-bottlerocket +++ b/packages/kernel-5.4/config-bottlerocket @@ -85,3 +85,22 @@ CONFIG_MOUSE_PS2=m # Enables support for checkpoint/restore CONFIG_CHECKPOINT_RESTORE=y + +# Disable unused filesystems. +CONFIG_AFS_FS=n +CONFIG_CRAMFS=n +CONFIG_ECRYPT_FS=n +CONFIG_EXT2_FS=n +CONFIG_EXT3_FS=n +CONFIG_EXT4_USE_FOR_EXT2=y +CONFIG_GFS2_FS=n +CONFIG_HFS_FS=n +CONFIG_HFSPLUS_FS=n +CONFIG_JFS_FS=n +CONFIG_JFFS2_FS=n +CONFIG_NFS_V2=n +CONFIG_NILFS2_FS=n +CONFIG_NTFS_FS=n +CONFIG_ROMFS_FS=n +CONFIG_UFS_FS=n +CONFIG_ZONEFS_FS=n From dfe344d13a05e0263484cde309f2400d10608857 Mon Sep 17 00:00:00 2001 From: Ben Cressey Date: Fri, 24 Jun 2022 18:48:51 +0000 Subject: [PATCH 2/2] kernel: disable unused network protocols These protocols are unlikely to be used. They might require special hardware; they might just not be supported on the platforms where Bottlerocket runs today; they might raise security concerns; or some other reasoning might apply. Requires special hardware or platform support: * atm - an alternative to IP * can - used in automative and industrial applications * hsr - redundancy protocol for wired networks * rfkill - controls RF switches on WiFi and Bluetooth cards Raises security concerns: * dccp - CVE-2020-16119, CVE-2018-1130 * rds - CVE-2021-45480, CVE-2019-11815 * tipc - CVE-2022-0435, CVE-2021-29646 Other reasons: * af-rxrpc - only used by AFS, which is disabled * l2tp - not enabled in 5.10 for x86_64 Signed-off-by: Ben Cressey --- packages/kernel-5.10/config-bottlerocket | 11 +++++++++++ packages/kernel-5.4/config-bottlerocket | 11 +++++++++++ 2 files changed, 22 insertions(+) diff --git a/packages/kernel-5.10/config-bottlerocket b/packages/kernel-5.10/config-bottlerocket index 08884d8f2a7..a31c086ab4f 100644 --- a/packages/kernel-5.10/config-bottlerocket +++ b/packages/kernel-5.10/config-bottlerocket @@ -162,3 +162,14 @@ CONFIG_NTFS_FS=n CONFIG_ROMFS_FS=n CONFIG_UFS_FS=n CONFIG_ZONEFS_FS=n + +# Disable unused network protocols. +CONFIG_AF_RXRPC=n +CONFIG_ATM=n +CONFIG_CAN=n +CONFIG_HSR=n +CONFIG_IP_DCCP=n +CONFIG_L2TP=n +CONFIG_RDS=n +CONFIG_RFKILL=n +CONFIG_TIPC=n diff --git a/packages/kernel-5.4/config-bottlerocket b/packages/kernel-5.4/config-bottlerocket index d21f44aac0c..91442915ef6 100644 --- a/packages/kernel-5.4/config-bottlerocket +++ b/packages/kernel-5.4/config-bottlerocket @@ -104,3 +104,14 @@ CONFIG_NTFS_FS=n CONFIG_ROMFS_FS=n CONFIG_UFS_FS=n CONFIG_ZONEFS_FS=n + +# Disable unused network protocols. +CONFIG_AF_RXRPC=n +CONFIG_ATM=n +CONFIG_CAN=n +CONFIG_HSR=n +CONFIG_IP_DCCP=n +CONFIG_L2TP=n +CONFIG_RDS=n +CONFIG_RFKILL=n +CONFIG_TIPC=n