At one point, Google disabled io_uring on its production servers (https://security.googleblog.com/2023/06/learnings-from-kctf-...) - I don't know whether this is still true, though. Perhaps a Google can confirm.

super curious on this one as well, last I heard they've been enabling it slowly

I was reading similar comments about AF_ALG which lead to the copy-fail exploit. Could we see a trend of moving away from less used tools/modules that expand the vulnerability footprint?

io-uring is in a different league imo. I'd say that it's second only to user namespaces in terms of attack surface.

That said, putting stuff in a docker container is kinda a light lift that cuts a bunch of attack surface.

We at work are currently going through the kernel modules available on Debian by default and deactivating things, yes.

And sorry, but I am ... frustrated by this. Why do my Debian 11 servers (currently upgrading, yes) have support for phone infrastructure from the 90s (ATM), or really obscure file systems like "Andrews File System" or support to run IP across amateur radios (AX.25) by default? We recently joked that we should start a pot you add a euro to whenever you find ancient discontinued tech you never heard about our systems support so we can have some nice dinner after this.

I do understand that going full Gentoo or Arch as a generally available distro is not feasible. I am also personally intimidated by compiling my own kernel with just what we need. But the amount of strange ancient things supported by default is also quite ridiculous.

You're kind of making my point. Perhaps we will see a trend where support for many things are not available by default and need to be installed as needed. Linux doesn't need to come with support for this and that (like AX.25) when it can be installed in seconds if truly needed. Doesn't OpenBSD already take this approach?