disable uncommon filesystems and network protocols #2255
Merged
Commits on Jul 7, 2022
-
kernel: disable unused filesystems
It's not possible to rule out the existence of workloads using these filesystems, but it is possible to make a series of educated guesses. For Kubernetes variants, a CSI driver that supports the filesystem would be required to use it for container storage. This is especially true for network-based fileystems, because Bottlerocket does not ship any of the userspace tools required. Disabled network filesystems: * afs - network-based, no CSI driver * gfs2 - network-based, no CSI driver * nfs v2 - obsoleted by later versions of NFS Another use case would be containers that run with CAP_SYS_ADMIN and mount full disk or filesystem images. Disabling these filesystems is more of a judgment call, and comes down to whether the format is obsolete, whether it's in common use, whether it's useful on current platforms, and if it's consistently enabled across architectures. Obsolete local filesystems: * cramfs - read-only format, obsoleted by squashfs * ecryptfs - obsoleted by native filesystem encryption * ext2 - obsolete, handled by the ext4 driver * ext3 - obsolete, handled by the ext4 driver * romfs - obsoleted by initramfs Uncommon local filesystems: * hfs, hfsplus - not enabled on aarch64 * jfs - not enabled on aarch64 * jffs2 - not supported by current platforms * nilfs2 - not enabled on aarch64 * ntfs - not enabled on 5.10 kernels * ufs - not enabled on aarch64 * zonefs - not supported by current platforms Note that a potential use case for hfsplus could be to generate DMG files for OS X software installs. However, the more common approach appears to be using `genisoimage` on Linux. Signed-off-by: Ben Cressey <[email protected]>
-
kernel: disable unused network protocols
These protocols are unlikely to be used. They might require special hardware; they might just not be supported on the platforms where Bottlerocket runs today; they might raise security concerns; or some other reasoning might apply. Requires special hardware or platform support: * atm - an alternative to IP * can - used in automative and industrial applications * hsr - redundancy protocol for wired networks * rfkill - controls RF switches on WiFi and Bluetooth cards Raises security concerns: * dccp - CVE-2020-16119, CVE-2018-1130 * rds - CVE-2021-45480, CVE-2019-11815 * tipc - CVE-2022-0435, CVE-2021-29646 Other reasons: * af-rxrpc - only used by AFS, which is disabled * l2tp - not enabled in 5.10 for x86_64 Signed-off-by: Ben Cressey <[email protected]>
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.