Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
You can add them to the /etc/modprobe.d/blacklist file.
If there is one module you want to blacklist, you can try adding "broken-modules=<module name>" as a kernel boot option. It will be added to the blacklist file. I don't know if this is true for all kernels and distros however.
You can add them to the /etc/modprobe.d/blacklist file.
With the blacklist, I have to give the name of all the module I don't want.
It is the opposite I would like to do.
Allow some modules I explicitly know, and deny all the other that exists and that could exists.
Apparently not, and if you think about it some more you might conclude it's not bad. I guess the option was meant to block loading drivers that are b0rken, malfunctioned or for other reasons say like not using IPv6. Since the kernel knows and can figure out module dependencies all by itself, overriding it could break things. Having to search a whitelist during every module op slows things down as well. The general concensus I think would be to compile a kernel with only the LKMs you need. If you have specific security-related requirements (do post) then we could possibly find a workaround but that won't be a standard solution and might require something path-based like Tomoyo or a script and relocating some modutils.
For security, one thing to consider is recompiling a new kernel with modules you don't need unselected.
The LKMs won't be created or produced. You can even try building a flat kernel with everything compiled into the kernel and disabling loadable modules alltogether.
If you don't post it you won't know. Any particular reasons you would like us to know?
Look, it is factual: security, availability, performance, flexibility or whatever...does it change the fact that there is a whitelist in the system ? I think no.
Quote:
Do you mean that GRSecurity allows you to keep LKMs from loading?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.