Can I deny modules loading, except my whitelist ?

PlatinumX · 10-10-2008, 04:11 AM

Hi all,

I am wondering if there is a way to restrict modules loading on my machine, to only the one i choosed (listed in a modprobe) ?

I know I can blacklist some modules, but I need their name.

I would like to deny all other modules than the one I defined as mandatory.

Thanks

smbell100 · 10-11-2008, 12:06 AM

You could always delete all except the ones you want. This will certainly stop them loading.

To be safe, just move them at first so that they can be replaced if things stop working.

jschiwal · 10-11-2008, 12:44 AM

You can add them to the /etc/modprobe.d/blacklist file.

If there is one module you want to blacklist, you can try adding "broken-modules=<module name>" as a kernel boot option. It will be added to the blacklist file. I don't know if this is true for all kernels and distros however.

PlatinumX · 10-11-2008, 03:51 AM

Quote:

You can add them to the /etc/modprobe.d/blacklist file.

With the blacklist, I have to give the name of all the module I don't want.
It is the opposite I would like to do.
Allow some modules I explicitly know, and deny all the other that exists and that could exists.

There is no white-list ?

unSpawn · 10-11-2008, 09:09 AM

Quote:

Originally Posted by PlatinumX

There is no white-list ?

Apparently not, and if you think about it some more you might conclude it's not bad. I guess the option was meant to block loading drivers that are b0rken, malfunctioned or for other reasons say like not using IPv6. Since the kernel knows and can figure out module dependencies all by itself, overriding it could break things. Having to search a whitelist during every module op slows things down as well. The general concensus I think would be to compile a kernel with only the LKMs you need. If you have specific security-related requirements (do post) then we could possibly find a workaround but that won't be a standard solution and might require something path-based like Tomoyo or a script and relocating some modutils.

jschiwal · 10-11-2008, 02:48 PM

For security, one thing to consider is recompiling a new kernel with modules you don't need unselected.
The LKMs won't be created or produced. You can even try building a flat kernel with everything compiled into the kernel and disabling loadable modules alltogether.

PlatinumX · 10-13-2008, 02:03 AM

Hey,

Quote:

If you have specific security-related requirements (do post)

Yes, it is security related.
I did not mentioned it cause it did not know it would change the answer.

After reading documents, yes I think one solution is compiling in flat mode, disabling LKMs loading.

To keep flexibility of LKMs and add security, I found a solution with the GrSecurity kernel patch.

Thanks for advises.

unSpawn · 10-14-2008, 01:56 AM

Quote:

Originally Posted by PlatinumX

Yes, it is security related. I did not mentioned it cause it did not know it would change the answer.

If you don't post it you won't know. Any particular reasons you would like us to know?

Quote:

Originally Posted by PlatinumX

To keep flexibility of LKMs and add security, I found a solution with the GrSecurity kernel patch.

Do you mean that GRSecurity allows you to keep LKMs from loading?

PlatinumX · 10-15-2008, 04:51 AM

Quote:

If you don't post it you won't know. Any particular reasons you would like us to know?

Look, it is factual: security, availability, performance, flexibility or whatever...does it change the fact that there is a whitelist in the system ? I think no.

Quote:

Do you mean that GRSecurity allows you to keep LKMs from loading?

Yes