Skip to content

Refactor /etc/modprobe.d/* #230

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
adrelanos merged 7 commits into from
Jul 13, 2024
Merged

Refactor /etc/modprobe.d/* #230

adrelanos merged 7 commits into from
Jul 13, 2024

Conversation

@raja-grewal
Copy link
Contributor

@raja-grewal raja-grewal commented Jul 11, 2024

Refactor kernel module blacklisting and disabling for clarity, ease-of-use, and future-proofing.

In preparation for future planned changes.

If this PR is approved, I plan on immediately introducing many new additions to our existing module blacklisting and disabling. The splitting of the configuration is necessary to improve readability and not result in a single bewilderingly lengthy configuration file.

Changes

Splits /etc/modprobe.d/30-security-misc.conf into two distinct configuration files, one for blacklisting and one for disabling. Improved documentation of relevant files.

There are no changes to the actual functionality of the code.

Mandatory Checklist

  • Legal agreements accepted. By contributing to this organisation, you acknowledge you have read, understood, and agree to be bound by these these agreements:

Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint

Optional Checklist

The following items are optional but might be requested in certain cases.

  • I have tested it locally
  • I have reviewed and updated any documentation if relevant
  • I am providing new code and test(s) for it

@raja-grewal
Copy link
Contributor Author

raja-grewal commented Jul 11, 2024

https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/34

https://forums.whonix.org/t/kernel-hardening-security-misc/7296/549

@adrelanos adrelanos merged commit f34b9d7 into Kicksecure:master Jul 13, 2024
@raja-grewal raja-grewal mentioned this pull request Jul 13, 2024
Merged
4 tasks
adrelanos
adrelanos reviewed Jul 15, 2024
View reviewed changes
etc/modprobe.d/30_security-misc_disable.conf
## Disable thunderbolt and firewire modules to prevent some DMA attacks
install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc
install firewire-core /usr/bin/disabled-firewire-by-security-misc
install firewire_core /usr/bin/disabled-firewire-by-security-misc
Copy link
Member

@adrelanos adrelanos Jul 15, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This line was forgotten.

@adrelanos
Copy link
Member

adrelanos commented Jul 15, 2024

Other forgotten lines:

install firewire_core /usr/bin/disabled-firewire-by-security-misc
install firewire_ohci /usr/bin/disabled-firewire-by-security-misc
install firewire_sbp2 /usr/bin/disabled-firewire-by-security-misc

I guess that was: 275a4ff

So the module always have - not _?

@adrelanos
Copy link
Member

adrelanos commented Jul 15, 2024

Quote man modprobe:

modprobe intelligently adds or removes a module from the Linux kernel: note that for convenience, there is no difference between _ and - in module names (automatic underscore conversion is performed).

@adrelanos
Copy link
Member

adrelanos commented Jul 15, 2024

Quote man modprobe.d:

Note that module and alias names (like other module names) can have - or _ in them: both are interchangeable throughout all the module commands as underscore conversion happens automatically.

So this seems fine. No need to duplicate firewire_core, firewire-core etc.

@raja-grewal raja-grewal mentioned this pull request Nov 21, 2025
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@adrelanos adrelanos adrelanos left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@raja-grewal @adrelanos