mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-07-31 15:20:23 +07:00
Code Issues Packages Projects Releases Wiki Activity

Refactor modprobe.d to minimise potential future merge conflicts

Browse Source
This commit is contained in:
Raja Grewal
2024-08-21 12:50:14 +10:00
parent e962153f84
commit 18ed77ecc9
3 changed files with 113 additions and 88 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
etc/modprobe.d/30_security-misc_blacklist.conf
View File

@ -22,7 +22,7 @@ blacklist sr_mod
#install sr_mod /usr/bin/disabled-cdrom-by-security-misc
## Miscellaneous:
##
## GrapheneOS:
## Partial selection of their infrastructure blacklist.
## Duplicate and already disabled modules have been omitted.
@ -39,7 +39,7 @@ blacklist snd_intel8x0
#blacklist tls
#blacklist virtio_balloon
#blacklist virtio_console
##
## Ubuntu:
## Already disabled modules have been omitted.
##

162
etc/modprobe.d/30_security-misc_disable.conf
View File

@ -8,6 +8,14 @@
## Blacklisting prevents kernel modules from automatically starting.
## Disabling prohibits kernel modules from starting.
## This configuration file is split into 4 sections:
## 1. Hardware
## 2. File Systems
## 3. Networking
## 4. Miscellaneous
## 1. Hardware:
## Bluetooth:
## Disable Bluetooth to reduce attack surface due to extended history of security vulnerabilities.
##
@ -34,27 +42,6 @@
#install btusb /usr/bin/disabled-bluetooth-by-security-misc
#install virtio_bt /usr/bin/disabled-bluetooth-by-security-misc
## CPU Model-Specific Registers (MSRs):
## Disable CPU MSRs as they can be abused to write to arbitrary memory.
##
## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode
## https://github.com/Kicksecure/security-misc/issues/215
##
#install msr /usr/bin/disabled-miscellaneous-by-security-misc
## File Systems:
## Disable uncommon file systems to reduce attack surface.
## HFS/HFS+ are legacy Apple file systems that may be required depending on the EFI partition format.
##
install cramfs /usr/bin/disabled-filesys-by-security-misc
install freevxfs /usr/bin/disabled-filesys-by-security-misc
install hfs /usr/bin/disabled-filesys-by-security-misc
install hfsplus /usr/bin/disabled-filesys-by-security-misc
install jffs2 /usr/bin/disabled-filesys-by-security-misc
install jfs /usr/bin/disabled-filesys-by-security-misc
install reiserfs /usr/bin/disabled-filesys-by-security-misc
install udf /usr/bin/disabled-filesys-by-security-misc
## FireWire (IEEE 1394):
## Disable IEEE 1394 (FireWire/i.LINK/Lynx) modules to prevent some DMA attacks.
##
@ -70,43 +57,6 @@ install raw1394 /usr/bin/disabled-firewire-by-security-misc
install sbp2 /usr/bin/disabled-firewire-by-security-misc
install video1394 /usr/bin/disabled-firewire-by-security-misc
## Framebuffer (fbdev):
## Video drivers are known to be buggy, cause kernel panics, and are generally only used by legacy devices.
## These were all previously blacklisted.
##
## https://docs.kernel.org/fb/index.html
## https://en.wikipedia.org/wiki/Linux_framebuffer
## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco
##
install aty128fb /usr/bin/disabled-framebuffer-by-security-misc
install atyfb /usr/bin/disabled-framebuffer-by-security-misc
install cirrusfb /usr/bin/disabled-framebuffer-by-security-misc
install cyber2000fb /usr/bin/disabled-framebuffer-by-security-misc
install cyblafb /usr/bin/disabled-framebuffer-by-security-misc
install gx1fb /usr/bin/disabled-framebuffer-by-security-misc
install hgafb /usr/bin/disabled-framebuffer-by-security-misc
install i810fb /usr/bin/disabled-framebuffer-by-security-misc
install intelfb /usr/bin/disabled-framebuffer-by-security-misc
install kyrofb /usr/bin/disabled-framebuffer-by-security-misc
install lxfb /usr/bin/disabled-framebuffer-by-security-misc
install matroxfb_bases /usr/bin/disabled-framebuffer-by-security-misc
install neofb /usr/bin/disabled-framebuffer-by-security-misc
install nvidiafb /usr/bin/disabled-framebuffer-by-security-misc
install pm2fb /usr/bin/disabled-framebuffer-by-security-misc
install radeonfb /usr/bin/disabled-framebuffer-by-security-misc
install rivafb /usr/bin/disabled-framebuffer-by-security-misc
install s1d13xxxfb /usr/bin/disabled-framebuffer-by-security-misc
install savagefb /usr/bin/disabled-framebuffer-by-security-misc
install sisfb /usr/bin/disabled-framebuffer-by-security-misc
install sstfb /usr/bin/disabled-framebuffer-by-security-misc
install tdfxfb /usr/bin/disabled-framebuffer-by-security-misc
install tridentfb /usr/bin/disabled-framebuffer-by-security-misc
install vesafb /usr/bin/disabled-framebuffer-by-security-misc
install vfb /usr/bin/disabled-framebuffer-by-security-misc
install viafb /usr/bin/disabled-framebuffer-by-security-misc
install vt8623fb /usr/bin/disabled-framebuffer-by-security-misc
install udlfb /usr/bin/disabled-framebuffer-by-security-misc
## Global Positioning Systems (GPS):
## Disable GPS-related modules like GNSS (Global Navigation Satellite System).
##
@ -152,6 +102,30 @@ install pmt_class /usr/bin/disabled-intelpmt-by-security-misc
install pmt_crashlog /usr/bin/disabled-intelpmt-by-security-misc
install pmt_telemetry /usr/bin/disabled-intelpmt-by-security-misc
## Thunderbolt:
## Disables Thunderbolt modules to prevent some DMA attacks.
##
## https://en.wikipedia.org/wiki/Thunderbolt_(interface)#Security_vulnerabilities
##
install intel-wmi-thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc
install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc
install thunderbolt_net /usr/bin/disabled-thunderbolt-by-security-misc
## 2. File Systems:
## File Systems:
## Disable uncommon file systems to reduce attack surface.
## HFS/HFS+ are legacy Apple file systems that may be required depending on the EFI partition format.
##
install cramfs /usr/bin/disabled-filesys-by-security-misc
install freevxfs /usr/bin/disabled-filesys-by-security-misc
install hfs /usr/bin/disabled-filesys-by-security-misc
install hfsplus /usr/bin/disabled-filesys-by-security-misc
install jffs2 /usr/bin/disabled-filesys-by-security-misc
install jfs /usr/bin/disabled-filesys-by-security-misc
install reiserfs /usr/bin/disabled-filesys-by-security-misc
install udf /usr/bin/disabled-filesys-by-security-misc
## Network File Systems:
## Disable uncommon network file systems to reduce attack surface.
##
@ -175,6 +149,8 @@ install nfsv2 /usr/bin/disabled-netfilesys-by-security-misc
install nfsv3 /usr/bin/disabled-netfilesys-by-security-misc
install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc
## 2. Networking:
## Network Protocols:
## Disables rare and unneeded network protocols that are a common source of unknown vulnerabilities.
## Previously had blacklisted eepro100 and eth1394.
@ -249,17 +225,62 @@ install rds_tcp /usr/bin/disabled-network-by-security-misc
install sctp /usr/bin/disabled-network-by-security-misc
install sctp_diag /usr/bin/disabled-network-by-security-misc
## Miscellaneous:
##
## 4. Miscellaneous:
## Amateur Radios:
##
install hamradio /usr/bin/disabled-miscellaneous-by-security-misc
## CPU Model-Specific Registers (MSRs):
## Disable CPU MSRs as they can be abused to write to arbitrary memory.
##
## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode
## https://github.com/Kicksecure/security-misc/issues/215
##
#install msr /usr/bin/disabled-miscellaneous-by-security-misc
## Floppy Disks:
##
install floppy /usr/bin/disabled-miscellaneous-by-security-misc
## Framebuffer (fbdev):
## Video drivers are known to be buggy, cause kernel panics, and are generally only used by legacy devices.
## These were all previously blacklisted.
##
## Replaced:
## https://docs.kernel.org/fb/index.html
## https://en.wikipedia.org/wiki/Linux_framebuffer
## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco
##
install aty128fb /usr/bin/disabled-framebuffer-by-security-misc
install atyfb /usr/bin/disabled-framebuffer-by-security-misc
install cirrusfb /usr/bin/disabled-framebuffer-by-security-misc
install cyber2000fb /usr/bin/disabled-framebuffer-by-security-misc
install cyblafb /usr/bin/disabled-framebuffer-by-security-misc
install gx1fb /usr/bin/disabled-framebuffer-by-security-misc
install hgafb /usr/bin/disabled-framebuffer-by-security-misc
install i810fb /usr/bin/disabled-framebuffer-by-security-misc
install intelfb /usr/bin/disabled-framebuffer-by-security-misc
install kyrofb /usr/bin/disabled-framebuffer-by-security-misc
install lxfb /usr/bin/disabled-framebuffer-by-security-misc
install matroxfb_bases /usr/bin/disabled-framebuffer-by-security-misc
install neofb /usr/bin/disabled-framebuffer-by-security-misc
install nvidiafb /usr/bin/disabled-framebuffer-by-security-misc
install pm2fb /usr/bin/disabled-framebuffer-by-security-misc
install radeonfb /usr/bin/disabled-framebuffer-by-security-misc
install rivafb /usr/bin/disabled-framebuffer-by-security-misc
install s1d13xxxfb /usr/bin/disabled-framebuffer-by-security-misc
install savagefb /usr/bin/disabled-framebuffer-by-security-misc
install sisfb /usr/bin/disabled-framebuffer-by-security-misc
install sstfb /usr/bin/disabled-framebuffer-by-security-misc
install tdfxfb /usr/bin/disabled-framebuffer-by-security-misc
install tridentfb /usr/bin/disabled-framebuffer-by-security-misc
install vesafb /usr/bin/disabled-framebuffer-by-security-misc
install vfb /usr/bin/disabled-framebuffer-by-security-misc
install viafb /usr/bin/disabled-framebuffer-by-security-misc
install vt8623fb /usr/bin/disabled-framebuffer-by-security-misc
install udlfb /usr/bin/disabled-framebuffer-by-security-misc
## Replaced Modules:
## These legacy drivers have all been entirely replaced and superseded by newer drivers.
## These were all previously blacklisted.
##
@ -269,7 +290,12 @@ install asus_acpi /usr/bin/disabled-miscellaneous-by-security-misc
install bcm43xx /usr/bin/disabled-miscellaneous-by-security-misc
install de4x5 /usr/bin/disabled-miscellaneous-by-security-misc
install prism54 /usr/bin/disabled-miscellaneous-by-security-misc
## USB Video Device Class:
## Disables the USB-based video streaming driver for devices like some webcams and digital camcorders.
##
#install uvcvideo /usr/bin/disabled-miscellaneous-by-security-misc
## Vivid:
## Disables the vivid kernel module since it has been the cause of multiple vulnerabilities.
##
@ -278,17 +304,3 @@ install prism54 /usr/bin/disabled-miscellaneous-by-security-misc
## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475
##
install vivid /usr/bin/disabled-miscellaneous-by-security-misc
## Thunderbolt:
## Disables Thunderbolt modules to prevent some DMA attacks.
##
## https://en.wikipedia.org/wiki/Thunderbolt_(interface)#Security_vulnerabilities
##
install intel-wmi-thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc
install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc
install thunderbolt_net /usr/bin/disabled-thunderbolt-by-security-misc
## USB Video Device Class:
## Disables the USB-based video streaming driver for devices like some webcams and digital camcorders.
##
#install uvcvideo /usr/bin/disabled-miscellaneous-by-security-misc