From f597c68e7ba0d6d5740ac89d5c56e69463d82b58 Mon Sep 17 00:00:00 2001
From: John Titor <50095635+JohnRTitor@users.noreply.github.com>
Date: Mon, 10 Mar 2025 22:27:41 +0530
Subject: [PATCH] nixos/boot/systemd: enable tracefs

tracefs is a special-purpose filesystem in Linux used for tracing filesystem and kernel operations.

This was added to the kernel back in 2015 to replace debugfs. For security reasons, some system do not mount debugfs at all. Tracefs reduces the attack surface by allowing to trace without mounting debugfs. Additionally it provides features not supported by debugfs (such as calls for mkdir and rmdir

Debian and Arch Linux both enable this by default.
RHEL 8 and later, they enable tracefs by default.

Signed-off-by: John Titor <50095635+JohnRTitor@users.noreply.github.com>
---
 nixos/modules/system/boot/systemd.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix
index 8b3f2a1bc49f..3096517c0b08 100644
--- a/nixos/modules/system/boot/systemd.nix
+++ b/nixos/modules/system/boot/systemd.nix
@@ -88,6 +88,7 @@ let
       "sys-fs-fuse-connections.mount"
       ] ++ (optional (!config.boot.isContainer) "sys-kernel-config.mount") ++ [
       "sys-kernel-debug.mount"
+      "sys-kernel-tracing.mount"
 
       # Maintaining state across reboots.
       "systemd-random-seed.service"