>>> Hi Debian Security Team,
>>>
>>> Could I have your input on this please? An old bug has been reopened asking for
>>> initscripts to mount debugfs by default. It was closed for several years, but
>>> the workaround has now disappeared.
>>>
>>> In the original thread, concerns were raised about mounting debugfs in all cases
>>> both for security and unnecessary resource usage[1]. Those have been expressed
>>> again now.
>> We hat short discussion about it our weekly Kernel team meeting, and
>> should be noted that systemd does that already. We do not see an
>> direct problem to do it as it is restricted to root.
>>
>> https://meetbot.debian.net/debian-kernel/2024/debian-kernel.2024-11-13-20.00.html
> If the kernel documentation says it should not be mounted by default then why is
> systemd doing so?
>
> I believe the kernel devs said that userland shouldn't be building upon it and
> that is a reason not to enable it by default. It makes much more sense to me for
> a commented out line to be placed in /etc/fstab?
>
> As for security. Ideally if it wasn't enabled at boot up then root shouldn't be
> able to mount it. The kernel has powers over root after all.

Kernel lockdown disables access for security reasons, so what does a user that
wants hibernate to work on an encrypted system but keep the system as secure as
possible do? Linux needs to do better here and not worse, IMO.