Disable more kernel modules

[raja-grewal]

Reduces attack surface by expanding the list of disabled kernel modules relating to file systems, GPS, network file systems, network protocols/drivers, Thunderbolt, and some miscellaneous drivers. Also provides option to disable more Bluetooth modules.

Applies some suggestions in Issue #224.

Changes

Updated security-misc.maintscript.

Moved some previously blacklisted modules to the disabled list.

Replacesdisabled-vivid-by-security-misc with a more general disabled-miscellaneous-by-security-misc that can be used for other modules.

Mandatory Checklist

• Legal agreements accepted. By contributing to this organisation, you acknowledge you have read, understood, and agree to be bound by these these agreements:

Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint

Optional Checklist

The following items are optional but might be requested in certain cases.

• I have tested it locally
• I have reviewed and updated any documentation if relevant
• I am providing new code and test(s) for it

[raja-grewal]

https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/38

[adrelanos]

These 3 lines need to be removed.

Only files in /etc need to be added to maintscript because these are configuration files and handled different by dpkg. Files in other locations such as folder /usr must not be added there.

(Otherwise a newline at end would be needed too.)

Not a big deal. I can undo this after merge.

[adrelanos]

What is the rationale for disabling...?

install brcm80211 /usr/bin/disabled-network-by-security-misc
install eepro100 /usr/bin/disabled-network-by-security-misc
install eth1394 /usr/bin/disabled-network-by-security-misc

Could not find any references.

install atm /usr/bin/disabled-network-by-security-misc
install ueagle-atm /usr/bin/disabled-network-by-security-misc
install usbatm /usr/bin/disabled-network-by-security-misc
install xusbatm /usr/bin/disabled-network-by-security-misc

ADSL USB modems might still be in use?

[adrelanos]

I will merge this but comment these out pending further discussion and potential comment in later.

[raja-grewal]

The following two modules had already been blacklisted by us in 61ef9bd for about two years and as far as I am aware there have been no complaints. They were originally sourced from Ubuntu's /etc/modprobe.d/*`.

install eepro100 /usr/bin/disabled-network-by-security-misc
install eth1394 /usr/bin/disabled-network-by-security-misc

Regarding brcm80211 and atm, continue discussion at #224 (comment).

[adrelanos]

raja-grewal:

The following two modules had already been blacklisted by us in 61ef9bd for about two years and as far as I am aware there have been no complaints. They were originally sourced from [Ubuntu's](https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco) /etc/modprobe.d/*`. ``` install eepro100 /usr/bin/disabled-network-by-security-misc install eth1394 /usr/bin/disabled-network-by-security-misc ```

Alright, great. Could you add this as a comment please?

[raja-grewal]

ADSL USB modems might still be in use?

Note that disabling atm also disables those 3 corresponding modules as well.

See:

[u@p]$ doas modprobe ueagle-atm
sh: line 1: /usr/bin/disabled-network-by-security-misc: No such file or directory
modprobe: ERROR: Error running install command '/usr/bin/disabled-network-by-security-misc' for module atm: retcode 127
modprobe: ERROR: could not insert 'ueagle_atm': Invalid argument
[u@p]$ doas modprobe usbatm
sh: line 1: /usr/bin/disabled-network-by-security-misc: No such file or directory
modprobe: ERROR: Error running install command '/usr/bin/disabled-network-by-security-misc' for module atm: retcode 127
modprobe: ERROR: could not insert 'usbatm': Invalid argument
[u@p]$ doas modprobe xusbatm
sh: line 1: /usr/bin/disabled-network-by-security-misc: No such file or directory
modprobe: ERROR: Error running install command '/usr/bin/disabled-network-by-security-misc' for module atm: retcode 127
modprobe: ERROR: could not insert 'xusbatm': Invalid argument

ATM has been disabled for over two years and so I don't see why we need to comment out those 3 since they have not worked since then.

Therefore, for the time being I am going to 'disable' them again so users do not get confused as to what is going on.