From 18ed77ecc93e9ee759a4990a32edb3dd671b8c26 Mon Sep 17 00:00:00 2001
From: Raja Grewal <rg_public@proton.me>
Date: Wed, 21 Aug 2024 12:50:14 +1000
Subject: [PATCH] Refactor modprobe.d to minimise potential future merge
 conflicts

---
 README.md                                     |  35 ++--
 .../30_security-misc_blacklist.conf           |   4 +-
 etc/modprobe.d/30_security-misc_disable.conf  | 162 ++++++++++--------
 3 files changed, 113 insertions(+), 88 deletions(-)

diff --git a/README.md b/README.md
index da9254a..4742384 100644
--- a/README.md
+++ b/README.md
@@ -223,17 +223,12 @@ modules from starting. This approach should not be considered comprehensive;
 rather, it is a form of badness enumeration. Any potential candidates for future
 disabling should first be blacklisted for a suitable amount of time.
 
+Hardware modules:
+
 - Optional - Bluetooth: Disabled to reduce attack surface.
 
-- Optional - CPU MSRs: Disabled as can be abused to write to arbitrary memory.
-
-- File Systems: Disable uncommon and legacy file systems.
-
 - FireWire (IEEE 1394): Disabled as they are often vulnerable to DMA attacks.
 
-- Framebuffer (fbdev): Disabled as drivers are well-known to be buggy, cause
-  kernel panics, and are generally only used by legacy devices.
-
 - GPS: Disable GPS-related modules such as those required for Global Navigation
   Satellite Systems (GNSS).
 
@@ -244,20 +239,38 @@ disabling should first be blacklisted for a suitable amount of time.
 - Intel Platform Monitoring Technology (PMT) Telemetry: Disable some functionality
   of the Intel PMT components.
 
+- Thunderbolt: Disabled as they are often vulnerable to DMA attacks.
+
+File system modules:
+
+- File Systems: Disable uncommon and legacy file systems.
+
 - Network File Systems: Disable uncommon and legacy network file systems.
 
+Networking modules:
+
 - Network Protocols: A wide array of uncommon and legacy network protocols and drivers
   are disabled.
 
-- Miscellaneous: Disable an assortment of other modules such as those required
-  for amateur radio, floppy disks, and vivid. Also disable legacy drivers that
-  have been entirely replaced by newer drivers.
+Miscellaneous modules:
 
-- Thunderbolt: Disabled as they are often vulnerable to DMA attacks.
+- Amateur Radios: Disabled to reduce attack surface.
+
+- Optional - CPU MSRs: Disabled as can be abused to write to arbitrary memory.
+
+- Floppy Disks: Disabled to reduce attack surface.
+
+- Framebuffer (fbdev): Disabled as these drivers are well-known to be buggy, cause
+  kernel panics, and are generally only used by legacy devices.
+
+- Replaced Modules: Disabled legacy drivers that have been entirely replaced and
+  superseded by newer drivers.
 
 - Optional - USB Video Device Class: Disables the USB-based video streaming driver for
   devices like some webcams and digital camcorders.
 
+- Vivid: Disabled to reduce attack surface given previous vulnerabilities.
+
 ### Other
 
 - A systemd service clears the System.map file on boot as these contain kernel
diff --git a/etc/modprobe.d/30_security-misc_blacklist.conf b/etc/modprobe.d/30_security-misc_blacklist.conf
index 34e1124..8386800 100644
--- a/etc/modprobe.d/30_security-misc_blacklist.conf
+++ b/etc/modprobe.d/30_security-misc_blacklist.conf
@@ -22,7 +22,7 @@ blacklist sr_mod
 #install sr_mod /usr/bin/disabled-cdrom-by-security-misc
 
 ## Miscellaneous:
-##
+
 ## GrapheneOS:
 ## Partial selection of their infrastructure blacklist.
 ## Duplicate and already disabled modules have been omitted.
@@ -39,7 +39,7 @@ blacklist snd_intel8x0
 #blacklist tls
 #blacklist virtio_balloon
 #blacklist virtio_console
-##
+
 ## Ubuntu:
 ## Already disabled modules have been omitted.
 ##
diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf
index 3a72b0e..3df5a51 100644
--- a/etc/modprobe.d/30_security-misc_disable.conf
+++ b/etc/modprobe.d/30_security-misc_disable.conf
@@ -8,6 +8,14 @@
 ## Blacklisting prevents kernel modules from automatically starting.
 ## Disabling prohibits kernel modules from starting.
 
+## This configuration file is split into 4 sections:
+## 1. Hardware
+## 2. File Systems
+## 3. Networking
+## 4. Miscellaneous
+
+## 1. Hardware:
+
 ## Bluetooth:
 ## Disable Bluetooth to reduce attack surface due to extended history of security vulnerabilities.
 ##
@@ -34,27 +42,6 @@
 #install btusb /usr/bin/disabled-bluetooth-by-security-misc
 #install virtio_bt /usr/bin/disabled-bluetooth-by-security-misc
 
-## CPU Model-Specific Registers (MSRs):
-## Disable CPU MSRs as they can be abused to write to arbitrary memory.
-##
-## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode
-## https://github.com/Kicksecure/security-misc/issues/215
-##
-#install msr /usr/bin/disabled-miscellaneous-by-security-misc
-
-## File Systems:
-## Disable uncommon file systems to reduce attack surface.
-## HFS/HFS+ are legacy Apple file systems that may be required depending on the EFI partition format.
-##
-install cramfs /usr/bin/disabled-filesys-by-security-misc
-install freevxfs /usr/bin/disabled-filesys-by-security-misc
-install hfs /usr/bin/disabled-filesys-by-security-misc
-install hfsplus /usr/bin/disabled-filesys-by-security-misc
-install jffs2 /usr/bin/disabled-filesys-by-security-misc
-install jfs /usr/bin/disabled-filesys-by-security-misc
-install reiserfs /usr/bin/disabled-filesys-by-security-misc
-install udf /usr/bin/disabled-filesys-by-security-misc
-
 ## FireWire (IEEE 1394):
 ## Disable IEEE 1394 (FireWire/i.LINK/Lynx) modules to prevent some DMA attacks.
 ##
@@ -70,43 +57,6 @@ install raw1394 /usr/bin/disabled-firewire-by-security-misc
 install sbp2 /usr/bin/disabled-firewire-by-security-misc
 install video1394 /usr/bin/disabled-firewire-by-security-misc
 
-## Framebuffer (fbdev):
-## Video drivers are known to be buggy, cause kernel panics, and are generally only used by legacy devices.
-## These were all previously blacklisted.
-##
-## https://docs.kernel.org/fb/index.html
-## https://en.wikipedia.org/wiki/Linux_framebuffer
-## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco
-##
-install aty128fb /usr/bin/disabled-framebuffer-by-security-misc
-install atyfb /usr/bin/disabled-framebuffer-by-security-misc
-install cirrusfb /usr/bin/disabled-framebuffer-by-security-misc
-install cyber2000fb /usr/bin/disabled-framebuffer-by-security-misc
-install cyblafb /usr/bin/disabled-framebuffer-by-security-misc
-install gx1fb /usr/bin/disabled-framebuffer-by-security-misc
-install hgafb /usr/bin/disabled-framebuffer-by-security-misc
-install i810fb /usr/bin/disabled-framebuffer-by-security-misc
-install intelfb /usr/bin/disabled-framebuffer-by-security-misc
-install kyrofb /usr/bin/disabled-framebuffer-by-security-misc
-install lxfb /usr/bin/disabled-framebuffer-by-security-misc
-install matroxfb_bases /usr/bin/disabled-framebuffer-by-security-misc
-install neofb /usr/bin/disabled-framebuffer-by-security-misc
-install nvidiafb /usr/bin/disabled-framebuffer-by-security-misc
-install pm2fb /usr/bin/disabled-framebuffer-by-security-misc
-install radeonfb /usr/bin/disabled-framebuffer-by-security-misc
-install rivafb /usr/bin/disabled-framebuffer-by-security-misc
-install s1d13xxxfb /usr/bin/disabled-framebuffer-by-security-misc
-install savagefb /usr/bin/disabled-framebuffer-by-security-misc
-install sisfb /usr/bin/disabled-framebuffer-by-security-misc
-install sstfb /usr/bin/disabled-framebuffer-by-security-misc
-install tdfxfb /usr/bin/disabled-framebuffer-by-security-misc
-install tridentfb /usr/bin/disabled-framebuffer-by-security-misc
-install vesafb /usr/bin/disabled-framebuffer-by-security-misc
-install vfb /usr/bin/disabled-framebuffer-by-security-misc
-install viafb /usr/bin/disabled-framebuffer-by-security-misc
-install vt8623fb /usr/bin/disabled-framebuffer-by-security-misc
-install udlfb /usr/bin/disabled-framebuffer-by-security-misc
-
 ## Global Positioning Systems (GPS):
 ## Disable GPS-related modules like GNSS (Global Navigation Satellite System).
 ##
@@ -152,6 +102,30 @@ install pmt_class /usr/bin/disabled-intelpmt-by-security-misc
 install pmt_crashlog /usr/bin/disabled-intelpmt-by-security-misc
 install pmt_telemetry /usr/bin/disabled-intelpmt-by-security-misc
 
+## Thunderbolt:
+## Disables Thunderbolt modules to prevent some DMA attacks.
+##
+## https://en.wikipedia.org/wiki/Thunderbolt_(interface)#Security_vulnerabilities
+##
+install intel-wmi-thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc
+install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc
+install thunderbolt_net /usr/bin/disabled-thunderbolt-by-security-misc
+
+## 2. File Systems:
+
+## File Systems:
+## Disable uncommon file systems to reduce attack surface.
+## HFS/HFS+ are legacy Apple file systems that may be required depending on the EFI partition format.
+##
+install cramfs /usr/bin/disabled-filesys-by-security-misc
+install freevxfs /usr/bin/disabled-filesys-by-security-misc
+install hfs /usr/bin/disabled-filesys-by-security-misc
+install hfsplus /usr/bin/disabled-filesys-by-security-misc
+install jffs2 /usr/bin/disabled-filesys-by-security-misc
+install jfs /usr/bin/disabled-filesys-by-security-misc
+install reiserfs /usr/bin/disabled-filesys-by-security-misc
+install udf /usr/bin/disabled-filesys-by-security-misc
+
 ## Network File Systems:
 ## Disable uncommon network file systems to reduce attack surface.
 ##
@@ -175,6 +149,8 @@ install nfsv2 /usr/bin/disabled-netfilesys-by-security-misc
 install nfsv3 /usr/bin/disabled-netfilesys-by-security-misc
 install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc
 
+## 2. Networking:
+
 ## Network Protocols:
 ## Disables rare and unneeded network protocols that are a common source of unknown vulnerabilities.
 ## Previously had blacklisted eepro100 and eth1394.
@@ -249,17 +225,62 @@ install rds_tcp /usr/bin/disabled-network-by-security-misc
 install sctp /usr/bin/disabled-network-by-security-misc
 install sctp_diag /usr/bin/disabled-network-by-security-misc
 
-## Miscellaneous:
-##
+## 4. Miscellaneous:
+
 ## Amateur Radios:
 ##
 install hamradio /usr/bin/disabled-miscellaneous-by-security-misc
+
+## CPU Model-Specific Registers (MSRs):
+## Disable CPU MSRs as they can be abused to write to arbitrary memory.
 ##
+## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode
+## https://github.com/Kicksecure/security-misc/issues/215
+##
+#install msr /usr/bin/disabled-miscellaneous-by-security-misc
+
 ## Floppy Disks:
 ##
 install floppy /usr/bin/disabled-miscellaneous-by-security-misc
+
+## Framebuffer (fbdev):
+## Video drivers are known to be buggy, cause kernel panics, and are generally only used by legacy devices.
+## These were all previously blacklisted.
 ##
-## Replaced:
+## https://docs.kernel.org/fb/index.html
+## https://en.wikipedia.org/wiki/Linux_framebuffer
+## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco
+##
+install aty128fb /usr/bin/disabled-framebuffer-by-security-misc
+install atyfb /usr/bin/disabled-framebuffer-by-security-misc
+install cirrusfb /usr/bin/disabled-framebuffer-by-security-misc
+install cyber2000fb /usr/bin/disabled-framebuffer-by-security-misc
+install cyblafb /usr/bin/disabled-framebuffer-by-security-misc
+install gx1fb /usr/bin/disabled-framebuffer-by-security-misc
+install hgafb /usr/bin/disabled-framebuffer-by-security-misc
+install i810fb /usr/bin/disabled-framebuffer-by-security-misc
+install intelfb /usr/bin/disabled-framebuffer-by-security-misc
+install kyrofb /usr/bin/disabled-framebuffer-by-security-misc
+install lxfb /usr/bin/disabled-framebuffer-by-security-misc
+install matroxfb_bases /usr/bin/disabled-framebuffer-by-security-misc
+install neofb /usr/bin/disabled-framebuffer-by-security-misc
+install nvidiafb /usr/bin/disabled-framebuffer-by-security-misc
+install pm2fb /usr/bin/disabled-framebuffer-by-security-misc
+install radeonfb /usr/bin/disabled-framebuffer-by-security-misc
+install rivafb /usr/bin/disabled-framebuffer-by-security-misc
+install s1d13xxxfb /usr/bin/disabled-framebuffer-by-security-misc
+install savagefb /usr/bin/disabled-framebuffer-by-security-misc
+install sisfb /usr/bin/disabled-framebuffer-by-security-misc
+install sstfb /usr/bin/disabled-framebuffer-by-security-misc
+install tdfxfb /usr/bin/disabled-framebuffer-by-security-misc
+install tridentfb /usr/bin/disabled-framebuffer-by-security-misc
+install vesafb /usr/bin/disabled-framebuffer-by-security-misc
+install vfb /usr/bin/disabled-framebuffer-by-security-misc
+install viafb /usr/bin/disabled-framebuffer-by-security-misc
+install vt8623fb /usr/bin/disabled-framebuffer-by-security-misc
+install udlfb /usr/bin/disabled-framebuffer-by-security-misc
+
+## Replaced Modules:
 ## These legacy drivers have all been entirely replaced and superseded by newer drivers.
 ## These were all previously blacklisted.
 ##
@@ -269,7 +290,12 @@ install asus_acpi /usr/bin/disabled-miscellaneous-by-security-misc
 install bcm43xx /usr/bin/disabled-miscellaneous-by-security-misc
 install de4x5 /usr/bin/disabled-miscellaneous-by-security-misc
 install prism54 /usr/bin/disabled-miscellaneous-by-security-misc
+
+## USB Video Device Class:
+## Disables the USB-based video streaming driver for devices like some webcams and digital camcorders.
 ##
+#install uvcvideo /usr/bin/disabled-miscellaneous-by-security-misc
+
 ## Vivid:
 ## Disables the vivid kernel module since it has been the cause of multiple vulnerabilities.
 ##
@@ -278,17 +304,3 @@ install prism54 /usr/bin/disabled-miscellaneous-by-security-misc
 ## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475
 ##
 install vivid /usr/bin/disabled-miscellaneous-by-security-misc
-
-## Thunderbolt:
-## Disables Thunderbolt modules to prevent some DMA attacks.
-##
-## https://en.wikipedia.org/wiki/Thunderbolt_(interface)#Security_vulnerabilities
-##
-install intel-wmi-thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc
-install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc
-install thunderbolt_net /usr/bin/disabled-thunderbolt-by-security-misc
-
-## USB Video Device Class:
-## Disables the USB-based video streaming driver for devices like some webcams and digital camcorders.
-##
-#install uvcvideo /usr/bin/disabled-miscellaneous-by-security-misc