In the 90s I compiled all my kernels at home from source with just the drivers I needed. Only installed the packages I needed. Only enabled the services I needed. The Unix way. When the kernel added modules I was still only compiling a subset and generally loading them manually.
Obviously that doesn’t work for most users and distros sensibly started shipping with modules compiled for practically every need. Usually when I view distro security alerts they are for packages I don’t install. But I have all these damn kernel modules just waiting to automatically load. I know I can blacklist them individually but I wonder if there is a way to profile the modules I use and use a deny all/whitelist approach instead?
https://wiki.archlinux.org/title/Modprobed-db can create a profile of the kernel modules that get loaded by your system over time. You can feed that directly into make localmodconfig to build a kernel that only includes those modules, or use the data to build a modprobe whitelist.
Clearly you know of lot about this. Here are some comments for the next human.
Deny all modules seems more possible than a whitelist approach. To deny all, the command is likely “sysctl kernel.modules_disabled=1”.
Whitelisting is harder. One could store a list of all loaded modules on a working system. Store a list of all kernel modules currently installed on the system. Compare the lists and remove from the “all” list the “running” list (grep will do this) and write it to the blacklist file.
The problem with the Whitelisting approach is that it needs to run after every kernel module install (which is doable).
If the above is the case, then someone must have automated this already, but I cannot find it quickly. (I checked Debian’s package repository.)
Nah, that is the problem. It all got so dynamic and easy I don’t really know how the hundreds of active modules on my desktop are loaded, why or in what order anymore. The days when I could list a handful of modules to load at boot are long gone I think unless its an embedded device or perhaps a simple server.
Setting modules_disabled might be viable for a relatively static system. I have seen that one when looking at hardening servers in the past but thought it was a bit extreme. Perhaps not.
In the 90s I compiled all my kernels at home from source with just the drivers I needed. Only installed the packages I needed. Only enabled the services I needed. The Unix way. When the kernel added modules I was still only compiling a subset and generally loading them manually.
Obviously that doesn’t work for most users and distros sensibly started shipping with modules compiled for practically every need. Usually when I view distro security alerts they are for packages I don’t install. But I have all these damn kernel modules just waiting to automatically load. I know I can blacklist them individually but I wonder if there is a way to profile the modules I use and use a deny all/whitelist approach instead?
https://wiki.archlinux.org/title/Modprobed-db can create a profile of the kernel modules that get loaded by your system over time. You can feed that directly into
make localmodconfigto build a kernel that only includes those modules, or use the data to build a modprobe whitelist.Hm? Somehow, lemmy.zip messed up the proxying, (clickable link)? Good thing you’ve pasted it plaintext.
Clearly you know of lot about this. Here are some comments for the next human.
Deny all modules seems more possible than a whitelist approach. To deny all, the command is likely “sysctl kernel.modules_disabled=1”.
Whitelisting is harder. One could store a list of all loaded modules on a working system. Store a list of all kernel modules currently installed on the system. Compare the lists and remove from the “all” list the “running” list (grep will do this) and write it to the blacklist file.
The problem with the Whitelisting approach is that it needs to run after every kernel module install (which is doable).
If the above is the case, then someone must have automated this already, but I cannot find it quickly. (I checked Debian’s package repository.)
Nah, that is the problem. It all got so dynamic and easy I don’t really know how the hundreds of active modules on my desktop are loaded, why or in what order anymore. The days when I could list a handful of modules to load at boot are long gone I think unless its an embedded device or perhaps a simple server.
Setting modules_disabled might be viable for a relatively static system. I have seen that one when looking at hardening servers in the past but thought it was a bit extreme. Perhaps not.