security-misc/etc/modprobe.d/30_security-misc.conf

## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

## https://phabricator.whonix.org/T486
options nf_conntrack nf_conntrack_helper=0

# Blacklists bluetooth to reduce attack surface.
# Bluetooth also has a history of security vulnerabilities:
#
# https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
install bluetooth /bin/true
install btusb /bin/true

# Blacklist thunderbolt and firewire to prevent some DMA attacks.
install thunderbolt /bin/true
install firewire-core /bin/true
install firewire_core /bin/true
install firewire-ohci /bin/true
install firewire_ohci /bin/true
install ohci1394 /bin/true
install sbp2 /bin/true
install dv1394 /bin/true
install raw1394 /bin/true
install video1394 /bin/true
install firewire-sbp2 /bin/true

# Blacklist CPU MSRs as they can be abused to write to
# arbitrary memory.
install msr /bin/true

# Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties.
#
# Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these.
#
# > Debian ships a long list of modules for wide support of devices, filesystems, protocols. Some of these modules have a pretty bad security track record, and some of those are simply not used by most of our users.
#
# > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record.
#
install dccp /bin/true
install sctp /bin/true
install rds /bin/true
install tipc /bin/true
install n-hdlc /bin/true
install ax25 /bin/true
install netrom /bin/true
install x25 /bin/true
install rose /bin/true
install decnet /bin/true
install econet /bin/true
install af_802154 /bin/true
install ipx /bin/true
install appletalk /bin/true
install psnap /bin/true
install p8023 /bin/true
install p8022 /bin/true
install can /bin/true
install atm /bin/true

# Disable uncommon file systems to reduce attack surface
install cramfs /bin/true
install freevxfs /bin/true
install jffs2 /bin/true
install hfs /bin/true
install hfsplus /bin/true
install udf /bin/true

# Disable uncommon network filesystems to reduce attack surface
install cifs /bin/true
install nfs /bin/true
install nfsv3 /bin/true
install nfsv4 /bin/true
install ksmbd /bin/true
install gfs2 /bin/true

## Blacklists the vivid kernel module as it's only required for
## testing and has been the cause of multiple vulnerabilities.
##
## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233
## https://www.openwall.com/lists/oss-security/2019/11/02/1
## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475
install vivid /bin/true

# Disable CD-ROM
install cdrom /bin/true
install sr_mod /bin/true

# Disable Intel Management Engine (ME) interface with OS
install mei /bin/true
install mei-me /bin/true
copyright 2022-05-21 01:46:38 +07:00			`## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>`
merge the many modprobe.d config files into 1 and use a name starting with double digits to make it easier to disable settings using a lexically higher config file 2020-01-24 16:30:36 +07:00			`## See the file COPYING for copying conditions.`

			`## https://phabricator.whonix.org/T486`
			`options nf_conntrack nf_conntrack_helper=0`

			`# Blacklists bluetooth to reduce attack surface.`
			`# Bluetooth also has a history of security vulnerabilities:`
			`#`
			`# https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns`
replace /bin/false -> /bin/true 2022-07-07 16:27:53 +07:00			`install bluetooth /bin/true`
			`install btusb /bin/true`
merge the many modprobe.d config files into 1 and use a name starting with double digits to make it easier to disable settings using a lexically higher config file 2020-01-24 16:30:36 +07:00
			`# Blacklist thunderbolt and firewire to prevent some DMA attacks.`
replace /bin/false -> /bin/true 2022-07-07 16:27:53 +07:00			`install thunderbolt /bin/true`
			`install firewire-core /bin/true`
			`install firewire_core /bin/true`
			`install firewire-ohci /bin/true`
			`install firewire_ohci /bin/true`
			`install ohci1394 /bin/true`
			`install sbp2 /bin/true`
			`install dv1394 /bin/true`
			`install raw1394 /bin/true`
			`install video1394 /bin/true`
			`install firewire-sbp2 /bin/true`
merge the many modprobe.d config files into 1 and use a name starting with double digits to make it easier to disable settings using a lexically higher config file 2020-01-24 16:30:36 +07:00
			`# Blacklist CPU MSRs as they can be abused to write to`
			`# arbitrary memory.`
replace /bin/false -> /bin/true 2022-07-07 16:27:53 +07:00			`install msr /bin/true`
merge the many modprobe.d config files into 1 and use a name starting with double digits to make it easier to disable settings using a lexically higher config file 2020-01-24 16:30:36 +07:00
			`# Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties.`
			`#`
			`# Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these.`
			`#`
			`# > Debian ships a long list of modules for wide support of devices, filesystems, protocols. Some of these modules have a pretty bad security track record, and some of those are simply not used by most of our users.`
			`#`
			`# > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record.`
			`#`
replace /bin/false -> /bin/true 2022-07-07 16:27:53 +07:00			`install dccp /bin/true`
			`install sctp /bin/true`
			`install rds /bin/true`
			`install tipc /bin/true`
			`install n-hdlc /bin/true`
			`install ax25 /bin/true`
			`install netrom /bin/true`
			`install x25 /bin/true`
			`install rose /bin/true`
			`install decnet /bin/true`
			`install econet /bin/true`
			`install af_802154 /bin/true`
			`install ipx /bin/true`
			`install appletalk /bin/true`
			`install psnap /bin/true`
			`install p8023 /bin/true`
			`install p8022 /bin/true`
			`install can /bin/true`
			`install atm /bin/true`
Blacklist more modules 2020-09-20 02:46:19 +07:00
Blacklist more modules 2022-07-07 16:26:55 +07:00			`# Disable uncommon file systems to reduce attack surface`
replace /bin/false -> /bin/true 2022-07-07 16:27:53 +07:00			`install cramfs /bin/true`
			`install freevxfs /bin/true`
			`install jffs2 /bin/true`
			`install hfs /bin/true`
			`install hfsplus /bin/true`
			`install udf /bin/true`
merge the many modprobe.d config files into 1 and use a name starting with double digits to make it easier to disable settings using a lexically higher config file 2020-01-24 16:30:36 +07:00
Blacklist more modules 2022-07-07 16:26:55 +07:00			`# Disable uncommon network filesystems to reduce attack surface`
replace /bin/false -> /bin/true 2022-07-07 16:27:53 +07:00			`install cifs /bin/true`
			`install nfs /bin/true`
			`install nfsv3 /bin/true`
			`install nfsv4 /bin/true`
			`install ksmbd /bin/true`
			`install gfs2 /bin/true`
Blacklist more modules 2022-07-07 16:26:55 +07:00
merge the many modprobe.d config files into 1 and use a name starting with double digits to make it easier to disable settings using a lexically higher config file 2020-01-24 16:30:36 +07:00			`## Blacklists the vivid kernel module as it's only required for`
			`## testing and has been the cause of multiple vulnerabilities.`
			`##`
			`## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233`
			`## https://www.openwall.com/lists/oss-security/2019/11/02/1`
			`## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475`
replace /bin/false -> /bin/true 2022-07-07 16:27:53 +07:00			`install vivid /bin/true`
Blacklist more modules 2022-07-07 16:26:55 +07:00
			`# Disable CD-ROM`
replace /bin/false -> /bin/true 2022-07-07 16:27:53 +07:00			`install cdrom /bin/true`
			`install sr_mod /bin/true`
Blacklist more modules 2022-07-07 16:26:55 +07:00
			`# Disable Intel Management Engine (ME) interface with OS`
replace /bin/false -> /bin/true 2022-07-07 16:27:53 +07:00			`install mei /bin/true`
			`install mei-me /bin/true`