Skip to content

nixos/boot/systemd: enable tracefs#388751

Merged
ElvishJerricco merged 1 commit intoNixOS:staging-nextfrom
JohnRTitor:tracefs
Mar 10, 2025
Merged

nixos/boot/systemd: enable tracefs#388751
ElvishJerricco merged 1 commit intoNixOS:staging-nextfrom
JohnRTitor:tracefs

Conversation

@JohnRTitor
Copy link
Member

@JohnRTitor JohnRTitor commented Mar 10, 2025
edited
Loading

tracefs is a special-purpose filesystem in Linux used for tracing filesystem and kernel operations.

This was added to the kernel back in 2015 to replace debugfs. For security reasons, some system do not mount debugfs at all. Tracefs reduces the attack surface by allowing to trace without mounting debugfs. Additionally it provides features not supported by debugfs (such as calls for mkdir and rmdir

Debian and Arch Linux both enable this by default. RHEL 8 and later, they enable tracefs by default.

Closes #388743

Just enabling tracefs should be a non-breaking change.

@JohnRTitor
nixos/boot/systemd: enable tracefs
f597c68 
tracefs is a special-purpose filesystem in Linux used for tracing filesystem and kernel operations.

This was added to the kernel back in 2015 to replace debugfs. For security reasons, some system do not mount debugfs at all. Tracefs reduces the attack surface by allowing to trace without mounting debugfs. Additionally it provides features not supported by debugfs (such as calls for mkdir and rmdir

Debian and Arch Linux both enable this by default.
RHEL 8 and later, they enable tracefs by default.

Signed-off-by: John Titor <[email protected]>
@JohnRTitor JohnRTitor added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Mar 10, 2025
@JohnRTitor JohnRTitor requested a review from a team March 10, 2025 17:02
@github-actions github-actions bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` labels Mar 10, 2025
@JohnRTitor JohnRTitor mentioned this pull request Mar 10, 2025
Merged
@flokli
Copy link
Member

flokli commented Mar 10, 2025

Cool! Do you think we should also disable mounting debugfs, and document the "move to tracefs by default" in the release notes?

@github-actions github-actions bot added 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. labels Mar 10, 2025
@ElvishJerricco
Copy link
Contributor

ElvishJerricco commented Mar 10, 2025

@flokli If there's no harm in leaving debugfs around, we probably should. I think the ConditionPathExists=/sys/kernel/debug will cause it to be disabled implicitly when a kernel doesn't support it, and if the kernel supports it I don't see a reason to kick it out.

@JohnRTitor
Copy link
Member Author

JohnRTitor commented Mar 10, 2025
edited
Loading

debugfs is disabled by default (for good reasons) on hardened kernels. We can also turn it off by passing kernel parameter debugfs=off.

@ElvishJerricco
Copy link
Contributor

ElvishJerricco commented Mar 10, 2025

We can also turn it off by passing kernel parameter debugfs=off.

Like I said, I don't think we'll need this because of the ConditionPathExists=/sys/kernel/debug. So yea, I think we just leave debugfs, at least for now. That sound good with you @flokli?

@JohnRTitor JohnRTitor changed the base branch from master to staging-next March 10, 2025 17:25
@JohnRTitor
Copy link
Member Author

JohnRTitor commented Mar 10, 2025

After a discussion on Matrix, we decided that it would be best to make it go through staging next, to avoid building tests again.

As for disabling debugfs, that's a breaking change, and even though it is technically a security issue, we should not disable it to avoid breaking applications without proper testing beforehand.

@ElvishJerricco ElvishJerricco merged commit 85c607e into NixOS:staging-next Mar 10, 2025
52 checks passed
@JohnRTitor JohnRTitor deleted the tracefs branch March 10, 2025 19:39
This was referenced Mar 11, 2025
Merged
Merged
Closed
JohnRTitor added a commit to JohnRTitor/nixpkgs that referenced this pull request Mar 29, 2025
@JohnRTitor
nixos/ananicy: re enable BPF on hardened kernels
9eacf89 
This was a workaround to begin with, as hardened kernel didn't support tracing.
Back then kernel level tracing was only available through debugfs, and now that
tracefs has been available on NixOS for a while now, enabled in
Link: NixOS#388751

This workaround can be removed and bpf can be used with tracefs.
Link: NixOS#360957

Signed-off-by: John Titor <[email protected]>
@JohnRTitor JohnRTitor mentioned this pull request Mar 29, 2025
Merged
13 tasks
JohnRTitor added a commit that referenced this pull request Apr 1, 2025
@JohnRTitor
nixos/ananicy: re enable BPF on hardened kernels
51dc163 
This was a workaround to begin with, as hardened kernel didn't support tracing.
Back then kernel level tracing was only available through debugfs, and now that
tracefs has been available on NixOS for a while now, enabled in
Link: #388751

This workaround can be removed and bpf can be used with tracefs.
Link: #360957

Signed-off-by: John Titor <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@flokli flokli Awaiting requested review from flokli

@ElvishJerricco ElvishJerricco Awaiting requested review from ElvishJerricco

@aanderse aanderse Awaiting requested review from aanderse

@arianvp arianvp Awaiting requested review from arianvp

Assignees

No one assigned

Labels

1.severity: security Issues which raise a security issue, or PRs that fix one 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

TraceFS on NixOS

3 participants

@JohnRTitor @flokli @ElvishJerricco