From e5f8004a9401727f1be2db492ea756bc19090866 Mon Sep 17 00:00:00 2001
From: Krish-sysadmin <kjain@fedoraproject.org>
Date: Tue, 5 Jul 2022 03:37:40 +0200
Subject: [PATCH 01/27] Update hide-hardware-info

---
 usr/libexec/security-misc/hide-hardware-info | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info
index 4d1c8ca..30c2db8 100755
--- a/usr/libexec/security-misc/hide-hardware-info
+++ b/usr/libexec/security-misc/hide-hardware-info
@@ -93,9 +93,9 @@ if [ -d /sys/fs/selinux ]; then
     for i in /sys/* /sys/fs/*
     do
       if [ "${sysfs_whitelist}" = "1" ]; then
-        chmod o-rwx "${i}"
+        chmod o-rwx "${i}" || continue
       else
-        chmod og-rwx "${i}"
+        chmod og-rwx "${i}" || continue
       fi
     done
     chmod o+rx /sys /sys/fs /sys/fs/selinux

From 18d67dbc5309a2403bece92881e671f46dc27f86 Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Thu, 7 Jul 2022 09:26:55 +0000
Subject: [PATCH 02/27] Blacklist more modules

---
 etc/modprobe.d/30_security-misc.conf | 33 ++++++++++++++++++++++++++--
 1 file changed, 31 insertions(+), 2 deletions(-)

diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf
index 7f177e6..03d902e 100644
--- a/etc/modprobe.d/30_security-misc.conf
+++ b/etc/modprobe.d/30_security-misc.conf
@@ -12,8 +12,17 @@ install bluetooth /bin/false
 install btusb /bin/false
 
 # Blacklist thunderbolt and firewire to prevent some DMA attacks.
-install firewire-core /bin/false
 install thunderbolt /bin/false
+install firewire-core /bin/false
+install firewire_core /bin/false
+install firewire-ohci /bin/false
+install firewire_ohci /bin/false
+install ohci1394 /bin/false
+install sbp2 /bin/false
+install dv1394 /bin/false
+install raw1394 /bin/false
+install video1394 /bin/false
+install firewire-sbp2 /bin/false
 
 # Blacklist CPU MSRs as they can be abused to write to
 # arbitrary memory.
@@ -47,10 +56,22 @@ install p8022 /bin/false
 install can /bin/false
 install atm /bin/false
 
-# Disable uncommon filesystems to reduce attack surface
+# Disable uncommon file systems to reduce attack surface
 install cramfs /bin/false
+install freevxfs /bin/false
+install jffs2 /bin/false
+install hfs /bin/false
+install hfsplus /bin/false
 install udf /bin/false
 
+# Disable uncommon network filesystems to reduce attack surface
+install cifs /bin/false
+install nfs /bin/false
+install nfsv3 /bin/false
+install nfsv4 /bin/false
+install ksmbd /bin/false
+install gfs2 /bin/false
+
 ## Blacklists the vivid kernel module as it's only required for
 ## testing and has been the cause of multiple vulnerabilities.
 ##
@@ -58,3 +79,11 @@ install udf /bin/false
 ## https://www.openwall.com/lists/oss-security/2019/11/02/1
 ## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475
 install vivid /bin/false
+
+# Disable CD-ROM
+install cdrom /bin/false
+install sr_mod /bin/false
+
+# Disable Intel Management Engine (ME) interface with OS
+install mei /bin/false
+install mei-me /bin/false

From f0511635a9725f79863c41a7b8d9f8a077ba8788 Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Thu, 7 Jul 2022 09:27:53 +0000
Subject: [PATCH 03/27] replace /bin/false ->  /bin/true

---
 etc/modprobe.d/30_security-misc.conf | 100 +++++++++++++--------------
 1 file changed, 50 insertions(+), 50 deletions(-)

diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf
index 03d902e..3d87d2a 100644
--- a/etc/modprobe.d/30_security-misc.conf
+++ b/etc/modprobe.d/30_security-misc.conf
@@ -8,25 +8,25 @@ options nf_conntrack nf_conntrack_helper=0
 # Bluetooth also has a history of security vulnerabilities:
 #
 # https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
-install bluetooth /bin/false
-install btusb /bin/false
+install bluetooth /bin/true
+install btusb /bin/true
 
 # Blacklist thunderbolt and firewire to prevent some DMA attacks.
-install thunderbolt /bin/false
-install firewire-core /bin/false
-install firewire_core /bin/false
-install firewire-ohci /bin/false
-install firewire_ohci /bin/false
-install ohci1394 /bin/false
-install sbp2 /bin/false
-install dv1394 /bin/false
-install raw1394 /bin/false
-install video1394 /bin/false
-install firewire-sbp2 /bin/false
+install thunderbolt /bin/true
+install firewire-core /bin/true
+install firewire_core /bin/true
+install firewire-ohci /bin/true
+install firewire_ohci /bin/true
+install ohci1394 /bin/true
+install sbp2 /bin/true
+install dv1394 /bin/true
+install raw1394 /bin/true
+install video1394 /bin/true
+install firewire-sbp2 /bin/true
 
 # Blacklist CPU MSRs as they can be abused to write to
 # arbitrary memory.
-install msr /bin/false
+install msr /bin/true
 
 # Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties.
 #
@@ -36,41 +36,41 @@ install msr /bin/false
 #
 # > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record.
 #
-install dccp /bin/false
-install sctp /bin/false
-install rds /bin/false
-install tipc /bin/false
-install n-hdlc /bin/false
-install ax25 /bin/false
-install netrom /bin/false
-install x25 /bin/false
-install rose /bin/false
-install decnet /bin/false
-install econet /bin/false
-install af_802154 /bin/false
-install ipx /bin/false
-install appletalk /bin/false
-install psnap /bin/false
-install p8023 /bin/false
-install p8022 /bin/false
-install can /bin/false
-install atm /bin/false
+install dccp /bin/true
+install sctp /bin/true
+install rds /bin/true
+install tipc /bin/true
+install n-hdlc /bin/true
+install ax25 /bin/true
+install netrom /bin/true
+install x25 /bin/true
+install rose /bin/true
+install decnet /bin/true
+install econet /bin/true
+install af_802154 /bin/true
+install ipx /bin/true
+install appletalk /bin/true
+install psnap /bin/true
+install p8023 /bin/true
+install p8022 /bin/true
+install can /bin/true
+install atm /bin/true
 
 # Disable uncommon file systems to reduce attack surface
-install cramfs /bin/false
-install freevxfs /bin/false
-install jffs2 /bin/false
-install hfs /bin/false
-install hfsplus /bin/false
-install udf /bin/false
+install cramfs /bin/true
+install freevxfs /bin/true
+install jffs2 /bin/true
+install hfs /bin/true
+install hfsplus /bin/true
+install udf /bin/true
 
 # Disable uncommon network filesystems to reduce attack surface
-install cifs /bin/false
-install nfs /bin/false
-install nfsv3 /bin/false
-install nfsv4 /bin/false
-install ksmbd /bin/false
-install gfs2 /bin/false
+install cifs /bin/true
+install nfs /bin/true
+install nfsv3 /bin/true
+install nfsv4 /bin/true
+install ksmbd /bin/true
+install gfs2 /bin/true
 
 ## Blacklists the vivid kernel module as it's only required for
 ## testing and has been the cause of multiple vulnerabilities.
@@ -78,12 +78,12 @@ install gfs2 /bin/false
 ## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233
 ## https://www.openwall.com/lists/oss-security/2019/11/02/1
 ## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475
-install vivid /bin/false
+install vivid /bin/true
 
 # Disable CD-ROM
-install cdrom /bin/false
-install sr_mod /bin/false
+install cdrom /bin/true
+install sr_mod /bin/true
 
 # Disable Intel Management Engine (ME) interface with OS
-install mei /bin/false
-install mei-me /bin/false
+install mei /bin/true
+install mei-me /bin/true

From 28381e81d4a57c59929a37745fa8ba5f3e0b25cb Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Thu, 7 Jul 2022 09:28:30 +0000
Subject: [PATCH 04/27] Update README.md

---
 README.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/README.md b/README.md
index d7c9ea4..0b016ed 100644
--- a/README.md
+++ b/README.md
@@ -149,6 +149,11 @@ of multiple vulnerabilities so it is blacklisted.
 * The MSR kernel module is blacklisted to prevent CPU MSRs from being
 abused to write to arbitrary memory.
 
+* Disables a large array of uncommon file systems and network file systems that reduces the attack surface especially against legacy approaches.
+
+* Disables the use of CD-ROM devices by default.
+
+* Provides some blocking of the interface between the [Intel Management Engine (ME)](https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html) and the OS.
 ### Other
 
 * A systemd service clears the System.map file on boot as these contain kernel

From da389d6682f6eb1d0c0172c50a4b529152384415 Mon Sep 17 00:00:00 2001
From: Raja Grewal <rg_public@proton.me>
Date: Fri, 8 Jul 2022 02:12:04 +1000
Subject: [PATCH 05/27] Revert "replace /bin/false ->  /bin/true"

This reverts commit f0511635a9725f79863c41a7b8d9f8a077ba8788.
---
 etc/modprobe.d/30_security-misc.conf | 100 +++++++++++++--------------
 1 file changed, 50 insertions(+), 50 deletions(-)

diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf
index 3d87d2a..03d902e 100644
--- a/etc/modprobe.d/30_security-misc.conf
+++ b/etc/modprobe.d/30_security-misc.conf
@@ -8,25 +8,25 @@ options nf_conntrack nf_conntrack_helper=0
 # Bluetooth also has a history of security vulnerabilities:
 #
 # https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
-install bluetooth /bin/true
-install btusb /bin/true
+install bluetooth /bin/false
+install btusb /bin/false
 
 # Blacklist thunderbolt and firewire to prevent some DMA attacks.
-install thunderbolt /bin/true
-install firewire-core /bin/true
-install firewire_core /bin/true
-install firewire-ohci /bin/true
-install firewire_ohci /bin/true
-install ohci1394 /bin/true
-install sbp2 /bin/true
-install dv1394 /bin/true
-install raw1394 /bin/true
-install video1394 /bin/true
-install firewire-sbp2 /bin/true
+install thunderbolt /bin/false
+install firewire-core /bin/false
+install firewire_core /bin/false
+install firewire-ohci /bin/false
+install firewire_ohci /bin/false
+install ohci1394 /bin/false
+install sbp2 /bin/false
+install dv1394 /bin/false
+install raw1394 /bin/false
+install video1394 /bin/false
+install firewire-sbp2 /bin/false
 
 # Blacklist CPU MSRs as they can be abused to write to
 # arbitrary memory.
-install msr /bin/true
+install msr /bin/false
 
 # Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties.
 #
@@ -36,41 +36,41 @@ install msr /bin/true
 #
 # > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record.
 #
-install dccp /bin/true
-install sctp /bin/true
-install rds /bin/true
-install tipc /bin/true
-install n-hdlc /bin/true
-install ax25 /bin/true
-install netrom /bin/true
-install x25 /bin/true
-install rose /bin/true
-install decnet /bin/true
-install econet /bin/true
-install af_802154 /bin/true
-install ipx /bin/true
-install appletalk /bin/true
-install psnap /bin/true
-install p8023 /bin/true
-install p8022 /bin/true
-install can /bin/true
-install atm /bin/true
+install dccp /bin/false
+install sctp /bin/false
+install rds /bin/false
+install tipc /bin/false
+install n-hdlc /bin/false
+install ax25 /bin/false
+install netrom /bin/false
+install x25 /bin/false
+install rose /bin/false
+install decnet /bin/false
+install econet /bin/false
+install af_802154 /bin/false
+install ipx /bin/false
+install appletalk /bin/false
+install psnap /bin/false
+install p8023 /bin/false
+install p8022 /bin/false
+install can /bin/false
+install atm /bin/false
 
 # Disable uncommon file systems to reduce attack surface
-install cramfs /bin/true
-install freevxfs /bin/true
-install jffs2 /bin/true
-install hfs /bin/true
-install hfsplus /bin/true
-install udf /bin/true
+install cramfs /bin/false
+install freevxfs /bin/false
+install jffs2 /bin/false
+install hfs /bin/false
+install hfsplus /bin/false
+install udf /bin/false
 
 # Disable uncommon network filesystems to reduce attack surface
-install cifs /bin/true
-install nfs /bin/true
-install nfsv3 /bin/true
-install nfsv4 /bin/true
-install ksmbd /bin/true
-install gfs2 /bin/true
+install cifs /bin/false
+install nfs /bin/false
+install nfsv3 /bin/false
+install nfsv4 /bin/false
+install ksmbd /bin/false
+install gfs2 /bin/false
 
 ## Blacklists the vivid kernel module as it's only required for
 ## testing and has been the cause of multiple vulnerabilities.
@@ -78,12 +78,12 @@ install gfs2 /bin/true
 ## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233
 ## https://www.openwall.com/lists/oss-security/2019/11/02/1
 ## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475
-install vivid /bin/true
+install vivid /bin/false
 
 # Disable CD-ROM
-install cdrom /bin/true
-install sr_mod /bin/true
+install cdrom /bin/false
+install sr_mod /bin/false
 
 # Disable Intel Management Engine (ME) interface with OS
-install mei /bin/true
-install mei-me /bin/true
+install mei /bin/false
+install mei-me /bin/false

From fa2e30f5125e438250acfdc52107a936ecb7b1b4 Mon Sep 17 00:00:00 2001
From: Raja Grewal <rg_public@proton.me>
Date: Fri, 8 Jul 2022 03:04:37 +1000
Subject: [PATCH 06/27] Updated descriptions of disabled modules

---
 etc/modprobe.d/30_security-misc.conf | 38 +++++++++++++++-------------
 1 file changed, 20 insertions(+), 18 deletions(-)

diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf
index 03d902e..422fcd0 100644
--- a/etc/modprobe.d/30_security-misc.conf
+++ b/etc/modprobe.d/30_security-misc.conf
@@ -1,17 +1,20 @@
 ## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
-## https://phabricator.whonix.org/T486
+# See the following links for a community discussion and overview regarding the selections
+# https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989
+# https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules
+
+# Blacklist automatic conntrack helper assignment
+# https://phabricator.whonix.org/T486
 options nf_conntrack nf_conntrack_helper=0
 
-# Blacklists bluetooth to reduce attack surface.
-# Bluetooth also has a history of security vulnerabilities:
-#
+# Blacklist bluetooth to reduce attack surface due to extended history of security vulnerabilities
 # https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
 install bluetooth /bin/false
 install btusb /bin/false
 
-# Blacklist thunderbolt and firewire to prevent some DMA attacks.
+# Blacklist thunderbolt and firewire modules to prevent some DMA attacks
 install thunderbolt /bin/false
 install firewire-core /bin/false
 install firewire_core /bin/false
@@ -24,11 +27,10 @@ install raw1394 /bin/false
 install video1394 /bin/false
 install firewire-sbp2 /bin/false
 
-# Blacklist CPU MSRs as they can be abused to write to
-# arbitrary memory.
+# Blacklist CPU MSRs as they can be abused to write to arbitrary memory.
 install msr /bin/false
 
-# Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties.
+# Blacklists unneeded network protocols that will likely not be used as these may have unknown vulnerabilties.
 #
 # Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these.
 #
@@ -56,7 +58,7 @@ install p8022 /bin/false
 install can /bin/false
 install atm /bin/false
 
-# Disable uncommon file systems to reduce attack surface
+# Blacklist uncommon file systems to reduce attack surface
 install cramfs /bin/false
 install freevxfs /bin/false
 install jffs2 /bin/false
@@ -64,7 +66,7 @@ install hfs /bin/false
 install hfsplus /bin/false
 install udf /bin/false
 
-# Disable uncommon network filesystems to reduce attack surface
+# Blacklist uncommon network file systems to reduce attack surface
 install cifs /bin/false
 install nfs /bin/false
 install nfsv3 /bin/false
@@ -72,18 +74,18 @@ install nfsv4 /bin/false
 install ksmbd /bin/false
 install gfs2 /bin/false
 
-## Blacklists the vivid kernel module as it's only required for
-## testing and has been the cause of multiple vulnerabilities.
-##
-## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233
-## https://www.openwall.com/lists/oss-security/2019/11/02/1
-## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475
+# Blacklists the vivid kernel module as it's only required for testing and has been the cause of multiple vulnerabilities
+# https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233
+# https://www.openwall.com/lists/oss-security/2019/11/02/1
+# https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475
 install vivid /bin/false
 
-# Disable CD-ROM
+# Blacklist CD-ROM devices
+# https://nvd.nist.gov/vuln/detail/CVE-2018-11506
 install cdrom /bin/false
 install sr_mod /bin/false
 
-# Disable Intel Management Engine (ME) interface with OS
+# Blacklist Intel Management Engine (ME) interface with the OS
+# https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html
 install mei /bin/false
 install mei-me /bin/false

From 780dc8eec99915a7466249e219ad59c5db5f0364 Mon Sep 17 00:00:00 2001
From: Raja Grewal <rg_public@proton.me>
Date: Fri, 8 Jul 2022 04:11:25 +1000
Subject: [PATCH 07/27] replace /bin/false -> /bin/disabled-by-security-misc

---
 etc/modprobe.d/30_security-misc.conf | 100 +++++++++++++--------------
 usr/bin/disabled-by-security-misc    |  10 +++
 2 files changed, 60 insertions(+), 50 deletions(-)
 create mode 100755 usr/bin/disabled-by-security-misc

diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf
index 422fcd0..a855e79 100644
--- a/etc/modprobe.d/30_security-misc.conf
+++ b/etc/modprobe.d/30_security-misc.conf
@@ -11,24 +11,24 @@ options nf_conntrack nf_conntrack_helper=0
 
 # Blacklist bluetooth to reduce attack surface due to extended history of security vulnerabilities
 # https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
-install bluetooth /bin/false
-install btusb /bin/false
+install bluetooth /bin/disabled-by-security-misc
+install btusb /bin/disabled-by-security-misc
 
 # Blacklist thunderbolt and firewire modules to prevent some DMA attacks
-install thunderbolt /bin/false
-install firewire-core /bin/false
-install firewire_core /bin/false
-install firewire-ohci /bin/false
-install firewire_ohci /bin/false
-install ohci1394 /bin/false
-install sbp2 /bin/false
-install dv1394 /bin/false
-install raw1394 /bin/false
-install video1394 /bin/false
-install firewire-sbp2 /bin/false
+install thunderbolt /bin/disabled-by-security-misc
+install firewire-core /bin/disabled-by-security-misc
+install firewire_core /bin/disabled-by-security-misc
+install firewire-ohci /bin/disabled-by-security-misc
+install firewire_ohci /bin/disabled-by-security-misc
+install ohci1394 /bin/disabled-by-security-misc
+install sbp2 /bin/disabled-by-security-misc
+install dv1394 /bin/disabled-by-security-misc
+install raw1394 /bin/disabled-by-security-misc
+install video1394 /bin/disabled-by-security-misc
+install firewire-sbp2 /bin/disabled-by-security-misc
 
 # Blacklist CPU MSRs as they can be abused to write to arbitrary memory.
-install msr /bin/false
+install msr /bin/disabled-by-security-misc
 
 # Blacklists unneeded network protocols that will likely not be used as these may have unknown vulnerabilties.
 #
@@ -38,54 +38,54 @@ install msr /bin/false
 #
 # > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record.
 #
-install dccp /bin/false
-install sctp /bin/false
-install rds /bin/false
-install tipc /bin/false
-install n-hdlc /bin/false
-install ax25 /bin/false
-install netrom /bin/false
-install x25 /bin/false
-install rose /bin/false
-install decnet /bin/false
-install econet /bin/false
-install af_802154 /bin/false
-install ipx /bin/false
-install appletalk /bin/false
-install psnap /bin/false
-install p8023 /bin/false
-install p8022 /bin/false
-install can /bin/false
-install atm /bin/false
+install dccp /bin/disabled-by-security-misc
+install sctp /bin/disabled-by-security-misc
+install rds /bin/disabled-by-security-misc
+install tipc /bin/disabled-by-security-misc
+install n-hdlc /bin/disabled-by-security-misc
+install ax25 /bin/disabled-by-security-misc
+install netrom /bin/disabled-by-security-misc
+install x25 /bin/disabled-by-security-misc
+install rose /bin/disabled-by-security-misc
+install decnet /bin/disabled-by-security-misc
+install econet /bin/disabled-by-security-misc
+install af_802154 /bin/disabled-by-security-misc
+install ipx /bin/disabled-by-security-misc
+install appletalk /bin/disabled-by-security-misc
+install psnap /bin/disabled-by-security-misc
+install p8023 /bin/disabled-by-security-misc
+install p8022 /bin/disabled-by-security-misc
+install can /bin/disabled-by-security-misc
+install atm /bin/disabled-by-security-misc
 
 # Blacklist uncommon file systems to reduce attack surface
-install cramfs /bin/false
-install freevxfs /bin/false
-install jffs2 /bin/false
-install hfs /bin/false
-install hfsplus /bin/false
-install udf /bin/false
+install cramfs /bin/disabled-by-security-misc
+install freevxfs /bin/disabled-by-security-misc
+install jffs2 /bin/disabled-by-security-misc
+install hfs /bin/disabled-by-security-misc
+install hfsplus /bin/disabled-by-security-misc
+install udf /bin/disabled-by-security-misc
 
 # Blacklist uncommon network file systems to reduce attack surface
-install cifs /bin/false
-install nfs /bin/false
-install nfsv3 /bin/false
-install nfsv4 /bin/false
-install ksmbd /bin/false
-install gfs2 /bin/false
+install cifs /bin/disabled-by-security-misc
+install nfs /bin/disabled-by-security-misc
+install nfsv3 /bin/disabled-by-security-misc
+install nfsv4 /bin/disabled-by-security-misc
+install ksmbd /bin/disabled-by-security-misc
+install gfs2 /bin/disabled-by-security-misc
 
 # Blacklists the vivid kernel module as it's only required for testing and has been the cause of multiple vulnerabilities
 # https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233
 # https://www.openwall.com/lists/oss-security/2019/11/02/1
 # https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475
-install vivid /bin/false
+install vivid /bin/disabled-by-security-misc
 
 # Blacklist CD-ROM devices
 # https://nvd.nist.gov/vuln/detail/CVE-2018-11506
-install cdrom /bin/false
-install sr_mod /bin/false
+install cdrom /bin/disabled-by-security-misc
+install sr_mod /bin/disabled-by-security-misc
 
 # Blacklist Intel Management Engine (ME) interface with the OS
 # https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html
-install mei /bin/false
-install mei-me /bin/false
+install mei /bin/disabled-by-security-misc
+install mei-me /bin/disabled-by-security-misc
diff --git a/usr/bin/disabled-by-security-misc b/usr/bin/disabled-by-security-misc
new file mode 100755
index 0000000..9d11c80
--- /dev/null
+++ b/usr/bin/disabled-by-security-misc
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
+
+echo "$0: ERROR: This kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
+
+exit 1

From ca19d78d48ca88f5b00dcceb18ac4803c7893ca4 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Thu, 7 Jul 2022 15:27:15 -0400
Subject: [PATCH 08/27] shuffle

---
 etc/modprobe.d/30_security-misc.conf | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf
index a855e79..c8851dd 100644
--- a/etc/modprobe.d/30_security-misc.conf
+++ b/etc/modprobe.d/30_security-misc.conf
@@ -80,12 +80,12 @@ install gfs2 /bin/disabled-by-security-misc
 # https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475
 install vivid /bin/disabled-by-security-misc
 
-# Blacklist CD-ROM devices
-# https://nvd.nist.gov/vuln/detail/CVE-2018-11506
-install cdrom /bin/disabled-by-security-misc
-install sr_mod /bin/disabled-by-security-misc
-
 # Blacklist Intel Management Engine (ME) interface with the OS
 # https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html
 install mei /bin/disabled-by-security-misc
 install mei-me /bin/disabled-by-security-misc
+
+# Blacklist CD-ROM devices
+# https://nvd.nist.gov/vuln/detail/CVE-2018-11506
+install cdrom /bin/disabled-by-security-misc
+install sr_mod /bin/disabled-by-security-misc

From d5c16503411bee4199c35a51226fc59924d6e142 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Thu, 7 Jul 2022 15:28:09 -0400
Subject: [PATCH 09/27] shuffle

---
 README.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 0b016ed..753d6aa 100644
--- a/README.md
+++ b/README.md
@@ -151,9 +151,10 @@ abused to write to arbitrary memory.
 
 * Disables a large array of uncommon file systems and network file systems that reduces the attack surface especially against legacy approaches.
 
+* Provides some blocking of the interface between the [Intel Management Engine (ME)](https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html) and the OS.
+
 * Disables the use of CD-ROM devices by default.
 
-* Provides some blocking of the interface between the [Intel Management Engine (ME)](https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html) and the OS.
 ### Other
 
 * A systemd service clears the System.map file on boot as these contain kernel

From 26b2c9727f5ba6f78f5cd10c28c3561a97c81be9 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Thu, 7 Jul 2022 15:39:40 -0400
Subject: [PATCH 10/27] not blacklist CD-ROM / DVD yet

https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31
---
 README.md                            | 2 +-
 etc/modprobe.d/30_security-misc.conf | 5 +++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 753d6aa..039c9c4 100644
--- a/README.md
+++ b/README.md
@@ -153,7 +153,7 @@ abused to write to arbitrary memory.
 
 * Provides some blocking of the interface between the [Intel Management Engine (ME)](https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html) and the OS.
 
-* Disables the use of CD-ROM devices by default.
+* Not enabled by default yet, comment only: Disables the use of CD-ROM devices by default.
 
 ### Other
 
diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf
index c8851dd..42da9b5 100644
--- a/etc/modprobe.d/30_security-misc.conf
+++ b/etc/modprobe.d/30_security-misc.conf
@@ -87,5 +87,6 @@ install mei-me /bin/disabled-by-security-misc
 
 # Blacklist CD-ROM devices
 # https://nvd.nist.gov/vuln/detail/CVE-2018-11506
-install cdrom /bin/disabled-by-security-misc
-install sr_mod /bin/disabled-by-security-misc
+# https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31
+#install cdrom /bin/disabled-by-security-misc
+#install sr_mod /bin/disabled-by-security-misc

From eb8535fe870e79a5c818a38c414147819d32346d Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Thu, 7 Jul 2022 15:48:39 -0400
Subject: [PATCH 11/27] renamed:    usr/bin/disabled-by-security-misc ->
 bin/disabled-by-security-misc

---
 {usr/bin => bin}/disabled-by-security-misc | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename {usr/bin => bin}/disabled-by-security-misc (100%)

diff --git a/usr/bin/disabled-by-security-misc b/bin/disabled-by-security-misc
similarity index 100%
rename from usr/bin/disabled-by-security-misc
rename to bin/disabled-by-security-misc

From 277749f27b2da8d33b70fb6f88c6757fab77e636 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Thu, 7 Jul 2022 15:49:08 -0400
Subject: [PATCH 12/27] genmkfile debinstfile

---
 debian/security-misc.install | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/debian/security-misc.install b/debian/security-misc.install
index 7445979..0d542c6 100644
--- a/debian/security-misc.install
+++ b/debian/security-misc.install
@@ -1,8 +1,9 @@
 ## Copyright (C) 2020 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
-## This file was generated using genmkfile 'make debinstfile'.
+## This file was generated using 'genmkfile debinstfile'.
 
+bin/*
 etc/*
 lib/*
 usr/*

From 1b8500cc22fdd6a51ec66ae1b04abccb9a529150 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Thu, 7 Jul 2022 17:41:13 -0400
Subject: [PATCH 13/27] bumped changelog version

---
 changelog.upstream | 83 ++++++++++++++++++++++++++++++++++++++++++++++
 debian/changelog   |  6 ++++
 2 files changed, 89 insertions(+)

diff --git a/changelog.upstream b/changelog.upstream
index 3776ec7..aa58569 100644
--- a/changelog.upstream
+++ b/changelog.upstream
@@ -1,3 +1,86 @@
+commit 277749f27b2da8d33b70fb6f88c6757fab77e636
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Thu Jul 7 15:49:08 2022 -0400
+
+    genmkfile debinstfile
+
+commit eb8535fe870e79a5c818a38c414147819d32346d
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Thu Jul 7 15:48:39 2022 -0400
+
+    renamed:    usr/bin/disabled-by-security-misc -> bin/disabled-by-security-misc
+
+commit 26b2c9727f5ba6f78f5cd10c28c3561a97c81be9
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Thu Jul 7 15:39:40 2022 -0400
+
+    not blacklist CD-ROM / DVD yet
+    
+    https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31
+
+commit d5c16503411bee4199c35a51226fc59924d6e142
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Thu Jul 7 15:28:09 2022 -0400
+
+    shuffle
+
+commit ca19d78d48ca88f5b00dcceb18ac4803c7893ca4
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Thu Jul 7 15:27:15 2022 -0400
+
+    shuffle
+
+commit d018bdaf73e109a61c0687a171af843c890729e0
+Merge: 1b287a6 780dc8e
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Thu Jul 7 15:26:08 2022 -0400
+
+    Merge remote-tracking branch 'raja-gerwal/master'
+
+commit 780dc8eec99915a7466249e219ad59c5db5f0364
+Author: Raja Grewal <rg_public@proton.me>
+Date:   Fri Jul 8 04:11:25 2022 +1000
+
+    replace /bin/false -> /bin/disabled-by-security-misc
+
+commit fa2e30f5125e438250acfdc52107a936ecb7b1b4
+Author: Raja Grewal <rg_public@proton.me>
+Date:   Fri Jul 8 03:04:37 2022 +1000
+
+    Updated descriptions of disabled modules
+
+commit da389d6682f6eb1d0c0172c50a4b529152384415
+Author: Raja Grewal <rg_public@proton.me>
+Date:   Fri Jul 8 02:12:04 2022 +1000
+
+    Revert "replace /bin/false ->  /bin/true"
+    
+    This reverts commit f0511635a9725f79863c41a7b8d9f8a077ba8788.
+
+commit 28381e81d4a57c59929a37745fa8ba5f3e0b25cb
+Author: raja-grewal <rg_public@proton.me>
+Date:   Thu Jul 7 09:28:30 2022 +0000
+
+    Update README.md
+
+commit f0511635a9725f79863c41a7b8d9f8a077ba8788
+Author: raja-grewal <rg_public@proton.me>
+Date:   Thu Jul 7 09:27:53 2022 +0000
+
+    replace /bin/false ->  /bin/true
+
+commit 18d67dbc5309a2403bece92881e671f46dc27f86
+Author: raja-grewal <rg_public@proton.me>
+Date:   Thu Jul 7 09:26:55 2022 +0000
+
+    Blacklist more modules
+
+commit 1b287a6430527c762f9bf909bcda58ab52041668
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Tue Jul 5 11:16:33 2022 -0400
+
+    bumped changelog version
+
 commit 92ff868ecefed4377c5f1e99eb5e5eecbb021564
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Tue Jul 5 11:05:36 2022 -0400
diff --git a/debian/changelog b/debian/changelog
index 77c7ca1..9cfe180 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+security-misc (3:25.1-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@whonix.org>  Thu, 07 Jul 2022 21:41:13 +0000
+
 security-misc (3:25.0-1) unstable; urgency=medium
 
   * New upstream version (local package).

From fede41e6e03c33f2f6569f03593f76edb9969e6a Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Sat, 9 Jul 2022 11:38:04 -0400
Subject: [PATCH 14/27] fix

---
 usr/libexec/security-misc/hide-hardware-info | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info
index 30c2db8..4e7fd0e 100755
--- a/usr/libexec/security-misc/hide-hardware-info
+++ b/usr/libexec/security-misc/hide-hardware-info
@@ -93,9 +93,9 @@ if [ -d /sys/fs/selinux ]; then
     for i in /sys/* /sys/fs/*
     do
       if [ "${sysfs_whitelist}" = "1" ]; then
-        chmod o-rwx "${i}" || continue
+        chmod o-rwx "${i}" || true
       else
-        chmod og-rwx "${i}" || continue
+        chmod og-rwx "${i}" || true
       fi
     done
     chmod o+rx /sys /sys/fs /sys/fs/selinux

From 1df2cfd1add8b2277cb37499ced4fbb713c17668 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Sat, 9 Jul 2022 11:38:37 -0400
Subject: [PATCH 15/27] comment

---
 usr/libexec/security-misc/hide-hardware-info | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info
index 4e7fd0e..b603631 100755
--- a/usr/libexec/security-misc/hide-hardware-info
+++ b/usr/libexec/security-misc/hide-hardware-info
@@ -92,6 +92,8 @@ if [ -d /sys/fs/selinux ]; then
     ## what is needed
     for i in /sys/* /sys/fs/*
     do
+      ## Using '|| true':
+      ## https://github.com/Kicksecure/security-misc/pull/108
       if [ "${sysfs_whitelist}" = "1" ]; then
         chmod o-rwx "${i}" || true
       else

From adfdac6dea0e8f971c59557b383d116cd51619fd Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Sat, 9 Jul 2022 11:40:01 -0400
Subject: [PATCH 16/27] output

---
 usr/libexec/security-misc/hide-hardware-info | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info
index b603631..ba65b30 100755
--- a/usr/libexec/security-misc/hide-hardware-info
+++ b/usr/libexec/security-misc/hide-hardware-info
@@ -80,13 +80,12 @@ do
   fi
 done
 
-## https://www.whonix.org/wiki/Security-misc#selinux
-##
 ## on SELinux systems, at least /sys/fs/selinux
 ## must be visible to unprivileged users, else
 ## SELinux userspace utilities will not function
 ## properly
 if [ -d /sys/fs/selinux ]; then
+  echo "INFO: https://www.whonix.org/wiki/Security-misc#selinux"
   if [ "${selinux}" = "1" ]; then
     ## restrict permissions on everything but
     ## what is needed

From 73d2c9d921c5c75ef3cca5461acc350c648f26d2 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Sat, 9 Jul 2022 11:40:15 -0400
Subject: [PATCH 17/27] output

---
 usr/libexec/security-misc/hide-hardware-info | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info
index ba65b30..726c002 100755
--- a/usr/libexec/security-misc/hide-hardware-info
+++ b/usr/libexec/security-misc/hide-hardware-info
@@ -85,7 +85,7 @@ done
 ## SELinux userspace utilities will not function
 ## properly
 if [ -d /sys/fs/selinux ]; then
-  echo "INFO: https://www.whonix.org/wiki/Security-misc#selinux"
+  echo "INFO: https://www.kicksecure.com/wiki/Security-misc#selinux"
   if [ "${selinux}" = "1" ]; then
     ## restrict permissions on everything but
     ## what is needed

From 3b844eaab25fecf90292c88291be77abf0be694c Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Sat, 9 Jul 2022 11:42:11 -0400
Subject: [PATCH 18/27] output

---
 usr/libexec/security-misc/hide-hardware-info | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info
index 726c002..6719b37 100755
--- a/usr/libexec/security-misc/hide-hardware-info
+++ b/usr/libexec/security-misc/hide-hardware-info
@@ -85,7 +85,8 @@ done
 ## SELinux userspace utilities will not function
 ## properly
 if [ -d /sys/fs/selinux ]; then
-  echo "INFO: https://www.kicksecure.com/wiki/Security-misc#selinux"
+  echo "INFO: SELinux detected because folder /sys/fs/selinux exists. See also:"
+  echo "https://www.kicksecure.com/wiki/Security-misc#selinux"
   if [ "${selinux}" = "1" ]; then
     ## restrict permissions on everything but
     ## what is needed

From 6aa9a9472f10d4d6270dd59fbcd94d9001aca9e6 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Sat, 9 Jul 2022 11:42:24 -0400
Subject: [PATCH 19/27] bumped changelog version

---
 changelog.upstream | 58 ++++++++++++++++++++++++++++++++++++++++++++++
 debian/changelog   |  6 +++++
 2 files changed, 64 insertions(+)

diff --git a/changelog.upstream b/changelog.upstream
index aa58569..16be21f 100644
--- a/changelog.upstream
+++ b/changelog.upstream
@@ -1,3 +1,55 @@
+commit 3b844eaab25fecf90292c88291be77abf0be694c
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Sat Jul 9 11:42:11 2022 -0400
+
+    output
+
+commit 73d2c9d921c5c75ef3cca5461acc350c648f26d2
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Sat Jul 9 11:40:15 2022 -0400
+
+    output
+
+commit adfdac6dea0e8f971c59557b383d116cd51619fd
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Sat Jul 9 11:40:01 2022 -0400
+
+    output
+
+commit 1df2cfd1add8b2277cb37499ced4fbb713c17668
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Sat Jul 9 11:38:37 2022 -0400
+
+    comment
+
+commit fede41e6e03c33f2f6569f03593f76edb9969e6a
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Sat Jul 9 11:38:04 2022 -0400
+
+    fix
+
+commit 52c46e4706d5799d452f260616a3909c9a3bc78f
+Merge: 1b8500c dc41a58
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Sat Jul 9 11:37:41 2022 -0400
+
+    Merge remote-tracking branch 'github-kicksecure/master'
+
+commit dc41a58102a114e21209aabeef9ad6b851365898
+Merge: 1b8500c e5f8004
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Sat Jul 9 11:37:57 2022 -0400
+
+    Merge pull request #108 from Krish-sysadmin/master
+    
+    Continue for loop if unable to change one directory's permission
+
+commit 1b8500cc22fdd6a51ec66ae1b04abccb9a529150
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Thu Jul 7 17:41:13 2022 -0400
+
+    bumped changelog version
+
 commit 277749f27b2da8d33b70fb6f88c6757fab77e636
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Thu Jul 7 15:49:08 2022 -0400
@@ -135,6 +187,12 @@ Date:   Tue Jul 5 10:28:22 2022 -0400
 
     add `/etc/default/grub.d/40_cold_boot_attack_defense.cfg`
 
+commit e5f8004a9401727f1be2db492ea756bc19090866
+Author: Krish-sysadmin <kjain@fedoraproject.org>
+Date:   Tue Jul 5 03:37:40 2022 +0200
+
+    Update hide-hardware-info
+
 commit 69af8be7b80dcc30e3a5d1b0a1d1aa198528b876
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Sat Jul 2 19:10:55 2022 -0400
diff --git a/debian/changelog b/debian/changelog
index 9cfe180..e1fa1be 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+security-misc (3:25.2-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@whonix.org>  Sat, 09 Jul 2022 15:42:24 +0000
+
 security-misc (3:25.1-1) unstable; urgency=medium
 
   * New upstream version (local package).

From 61ef9bd59f9ff39c140f782ff5b41d0a3c6d97bc Mon Sep 17 00:00:00 2001
From: Raja Grewal <rg_public@proton.me>
Date: Sun, 10 Jul 2022 04:52:00 +1000
Subject: [PATCH 20/27] =?UTF-8?q?Incorporated=20Ubuntu=E2=80=99s=20kernel?=
 =?UTF-8?q?=20module=20blacklists?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 etc/modprobe.d/30_security-misc.conf | 76 ++++++++++++++++++++++++----
 1 file changed, 65 insertions(+), 11 deletions(-)

diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf
index 42da9b5..2b6894a 100644
--- a/etc/modprobe.d/30_security-misc.conf
+++ b/etc/modprobe.d/30_security-misc.conf
@@ -5,32 +5,33 @@
 # https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989
 # https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules
 
-# Blacklist automatic conntrack helper assignment
+# Disable automatic conntrack helper assignment
 # https://phabricator.whonix.org/T486
 options nf_conntrack nf_conntrack_helper=0
 
-# Blacklist bluetooth to reduce attack surface due to extended history of security vulnerabilities
+# Disable bluetooth to reduce attack surface due to extended history of security vulnerabilities
 # https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
 install bluetooth /bin/disabled-by-security-misc
 install btusb /bin/disabled-by-security-misc
 
-# Blacklist thunderbolt and firewire modules to prevent some DMA attacks
+# Disable thunderbolt and firewire modules to prevent some DMA attacks
 install thunderbolt /bin/disabled-by-security-misc
 install firewire-core /bin/disabled-by-security-misc
 install firewire_core /bin/disabled-by-security-misc
 install firewire-ohci /bin/disabled-by-security-misc
 install firewire_ohci /bin/disabled-by-security-misc
+install firewire_sbp2 /bin/disabled-by-security-misc
+install firewire-sbp2 /bin/disabled-by-security-misc
 install ohci1394 /bin/disabled-by-security-misc
 install sbp2 /bin/disabled-by-security-misc
 install dv1394 /bin/disabled-by-security-misc
 install raw1394 /bin/disabled-by-security-misc
 install video1394 /bin/disabled-by-security-misc
-install firewire-sbp2 /bin/disabled-by-security-misc
 
-# Blacklist CPU MSRs as they can be abused to write to arbitrary memory.
+# Disable CPU MSRs as they can be abused to write to arbitrary memory.
 install msr /bin/disabled-by-security-misc
 
-# Blacklists unneeded network protocols that will likely not be used as these may have unknown vulnerabilties.
+# Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties.
 #
 # Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these.
 #
@@ -58,7 +59,7 @@ install p8022 /bin/disabled-by-security-misc
 install can /bin/disabled-by-security-misc
 install atm /bin/disabled-by-security-misc
 
-# Blacklist uncommon file systems to reduce attack surface
+# Disable uncommon file systems to reduce attack surface
 install cramfs /bin/disabled-by-security-misc
 install freevxfs /bin/disabled-by-security-misc
 install jffs2 /bin/disabled-by-security-misc
@@ -66,7 +67,7 @@ install hfs /bin/disabled-by-security-misc
 install hfsplus /bin/disabled-by-security-misc
 install udf /bin/disabled-by-security-misc
 
-# Blacklist uncommon network file systems to reduce attack surface
+# Disable uncommon network file systems to reduce attack surface
 install cifs /bin/disabled-by-security-misc
 install nfs /bin/disabled-by-security-misc
 install nfsv3 /bin/disabled-by-security-misc
@@ -74,18 +75,71 @@ install nfsv4 /bin/disabled-by-security-misc
 install ksmbd /bin/disabled-by-security-misc
 install gfs2 /bin/disabled-by-security-misc
 
-# Blacklists the vivid kernel module as it's only required for testing and has been the cause of multiple vulnerabilities
+# Disables the vivid kernel module as it's only required for testing and has been the cause of multiple vulnerabilities
 # https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233
 # https://www.openwall.com/lists/oss-security/2019/11/02/1
 # https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475
 install vivid /bin/disabled-by-security-misc
 
-# Blacklist Intel Management Engine (ME) interface with the OS
+# Disable Intel Management Engine (ME) interface with the OS
 # https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html
 install mei /bin/disabled-by-security-misc
 install mei-me /bin/disabled-by-security-misc
 
-# Blacklist CD-ROM devices
+# Blacklist automatic loading of the Atheros 5K RF MACs madwifi driver
+# https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco
+blacklist ath_pci
+
+# Blacklist automatic loading of miscellaneous modules
+# https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco
+blacklist evbug
+blacklist usbmouse
+blacklist usbkbd
+blacklist eepro100
+blacklist de4x5
+blacklist eth1394
+blacklist snd_intel8x0m
+blacklist snd_aw2
+blacklist prism54
+blacklist bcm43xx
+blacklist garmin_gps
+blacklist asus_acpi
+blacklist snd_pcsp
+blacklist pcspkr
+blacklist amd76x_edac
+
+# Blacklist automatic loading of framebuffer drivers
+# https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco
+blacklist aty128fb
+blacklist atyfb
+# blacklist radeonfb
+blacklist cirrusfb
+blacklist cyber2000fb
+blacklist cyblafb
+blacklist gx1fb
+blacklist hgafb
+blacklist i810fb
+# blacklist intelfb
+blacklist kyrofb
+blacklist lxfb
+blacklist matroxfb_base
+blacklist neofb
+# blacklist nvidiafb
+blacklist pm2fb
+blacklist rivafb
+blacklist s1d13xxxfb
+blacklist savagefb
+blacklist sisfb
+blacklist sstfb
+blacklist tdfxfb
+blacklist tridentfb
+# blacklist vesafb
+blacklist vfb
+blacklist viafb
+blacklist vt8623fb
+blacklist udlfb
+
+# Disable CD-ROM devices
 # https://nvd.nist.gov/vuln/detail/CVE-2018-11506
 # https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31
 #install cdrom /bin/disabled-by-security-misc

From ef1ef9917d896f1cd837f399def6a75704e9bfd2 Mon Sep 17 00:00:00 2001
From: Raja Grewal <rg_public@proton.me>
Date: Sun, 10 Jul 2022 04:53:25 +1000
Subject: [PATCH 21/27] Blacklist automatic loading of CD-ROM modules

---
 etc/modprobe.d/30_security-misc.conf | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf
index 2b6894a..697057d 100644
--- a/etc/modprobe.d/30_security-misc.conf
+++ b/etc/modprobe.d/30_security-misc.conf
@@ -144,3 +144,5 @@ blacklist udlfb
 # https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31
 #install cdrom /bin/disabled-by-security-misc
 #install sr_mod /bin/disabled-by-security-misc
+blacklist cdrom
+blacklist sr_mod

From 40ec791774f2a6ae7d42ccf2bfbe4a98a9963f08 Mon Sep 17 00:00:00 2001
From: Raja Grewal <rg_public@proton.me>
Date: Tue, 12 Jul 2022 16:58:16 +1000
Subject: [PATCH 22/27] Updated comments

---
 etc/modprobe.d/30_security-misc.conf | 75 +++++++++++++---------------
 1 file changed, 36 insertions(+), 39 deletions(-)

diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf
index 697057d..b6c8424 100644
--- a/etc/modprobe.d/30_security-misc.conf
+++ b/etc/modprobe.d/30_security-misc.conf
@@ -1,20 +1,20 @@
 ## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
-# See the following links for a community discussion and overview regarding the selections
-# https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989
-# https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules
+## See the following links for a community discussion and overview regarding the selections
+## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989
+## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules
 
-# Disable automatic conntrack helper assignment
-# https://phabricator.whonix.org/T486
+## Disable automatic conntrack helper assignment
+## https://phabricator.whonix.org/T486
 options nf_conntrack nf_conntrack_helper=0
 
-# Disable bluetooth to reduce attack surface due to extended history of security vulnerabilities
-# https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
+## Disable bluetooth to reduce attack surface due to extended history of security vulnerabilities
+## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
 install bluetooth /bin/disabled-by-security-misc
 install btusb /bin/disabled-by-security-misc
 
-# Disable thunderbolt and firewire modules to prevent some DMA attacks
+## Disable thunderbolt and firewire modules to prevent some DMA attacks
 install thunderbolt /bin/disabled-by-security-misc
 install firewire-core /bin/disabled-by-security-misc
 install firewire_core /bin/disabled-by-security-misc
@@ -28,17 +28,14 @@ install dv1394 /bin/disabled-by-security-misc
 install raw1394 /bin/disabled-by-security-misc
 install video1394 /bin/disabled-by-security-misc
 
-# Disable CPU MSRs as they can be abused to write to arbitrary memory.
+## Disable CPU MSRs as they can be abused to write to arbitrary memory.
+## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode
 install msr /bin/disabled-by-security-misc
 
-# Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties.
-#
-# Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these.
-#
-# > Debian ships a long list of modules for wide support of devices, filesystems, protocols. Some of these modules have a pretty bad security track record, and some of those are simply not used by most of our users.
-#
-# > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record.
-#
+## Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties.
+## Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these.
+## > Debian ships a long list of modules for wide support of devices, filesystems, protocols. Some of these modules have a pretty bad security track record, and some of those are simply not used by most of our users.
+## > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record.
 install dccp /bin/disabled-by-security-misc
 install sctp /bin/disabled-by-security-misc
 install rds /bin/disabled-by-security-misc
@@ -59,7 +56,7 @@ install p8022 /bin/disabled-by-security-misc
 install can /bin/disabled-by-security-misc
 install atm /bin/disabled-by-security-misc
 
-# Disable uncommon file systems to reduce attack surface
+## Disable uncommon file systems to reduce attack surface
 install cramfs /bin/disabled-by-security-misc
 install freevxfs /bin/disabled-by-security-misc
 install jffs2 /bin/disabled-by-security-misc
@@ -67,7 +64,7 @@ install hfs /bin/disabled-by-security-misc
 install hfsplus /bin/disabled-by-security-misc
 install udf /bin/disabled-by-security-misc
 
-# Disable uncommon network file systems to reduce attack surface
+## Disable uncommon network file systems to reduce attack surface
 install cifs /bin/disabled-by-security-misc
 install nfs /bin/disabled-by-security-misc
 install nfsv3 /bin/disabled-by-security-misc
@@ -75,23 +72,23 @@ install nfsv4 /bin/disabled-by-security-misc
 install ksmbd /bin/disabled-by-security-misc
 install gfs2 /bin/disabled-by-security-misc
 
-# Disables the vivid kernel module as it's only required for testing and has been the cause of multiple vulnerabilities
-# https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233
-# https://www.openwall.com/lists/oss-security/2019/11/02/1
-# https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475
+## Disables the vivid kernel module as it's only required for testing and has been the cause of multiple vulnerabilities
+## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233
+## https://www.openwall.com/lists/oss-security/2019/11/02/1
+## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475
 install vivid /bin/disabled-by-security-misc
 
-# Disable Intel Management Engine (ME) interface with the OS
-# https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html
+## Disable Intel Management Engine (ME) interface with the OS
+## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html
 install mei /bin/disabled-by-security-misc
 install mei-me /bin/disabled-by-security-misc
 
-# Blacklist automatic loading of the Atheros 5K RF MACs madwifi driver
-# https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco
+## Blacklist automatic loading of the Atheros 5K RF MACs madwifi driver
+## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco
 blacklist ath_pci
 
-# Blacklist automatic loading of miscellaneous modules
-# https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco
+## Blacklist automatic loading of miscellaneous modules
+## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco
 blacklist evbug
 blacklist usbmouse
 blacklist usbkbd
@@ -108,23 +105,23 @@ blacklist snd_pcsp
 blacklist pcspkr
 blacklist amd76x_edac
 
-# Blacklist automatic loading of framebuffer drivers
-# https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco
+## Blacklist automatic loading of framebuffer drivers
+## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco
 blacklist aty128fb
 blacklist atyfb
-# blacklist radeonfb
+#blacklist radeonfb
 blacklist cirrusfb
 blacklist cyber2000fb
 blacklist cyblafb
 blacklist gx1fb
 blacklist hgafb
 blacklist i810fb
-# blacklist intelfb
+#blacklist intelfb
 blacklist kyrofb
 blacklist lxfb
-blacklist matroxfb_base
+blacklist matroxfb_bases
 blacklist neofb
-# blacklist nvidiafb
+#blacklist nvidiafb
 blacklist pm2fb
 blacklist rivafb
 blacklist s1d13xxxfb
@@ -133,15 +130,15 @@ blacklist sisfb
 blacklist sstfb
 blacklist tdfxfb
 blacklist tridentfb
-# blacklist vesafb
+#blacklist vesafb
 blacklist vfb
 blacklist viafb
 blacklist vt8623fb
 blacklist udlfb
 
-# Disable CD-ROM devices
-# https://nvd.nist.gov/vuln/detail/CVE-2018-11506
-# https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31
+## Disable CD-ROM devices
+## https://nvd.nist.gov/vuln/detail/CVE-2018-11506
+## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31
 #install cdrom /bin/disabled-by-security-misc
 #install sr_mod /bin/disabled-by-security-misc
 blacklist cdrom

From 48089e5ba43b0b72449f888b98b63119ed57e2fd Mon Sep 17 00:00:00 2001
From: Raja Grewal <rg_public@proton.me>
Date: Tue, 12 Jul 2022 17:02:12 +1000
Subject: [PATCH 23/27] More verbose kernel module blocking error logs

---
 .../block-bluetooth                           |  10 ++
 .../block-cdrom                               |  10 ++
 .../block-filesys                             |  10 ++
 .../block-firewire                            |  10 ++
 .../block-intelme                             |  10 ++
 .../block-msr                                 |  10 ++
 .../block-netfilesys                          |  10 ++
 .../block-network                             |  10 ++
 .../block-thunderbolt                         |  10 ++
 .../block-vivid                               |  10 ++
 etc/modprobe.d/30_security-misc.conf          | 102 +++++++++---------
 11 files changed, 151 insertions(+), 51 deletions(-)
 create mode 100755 bin/disabled-module-by-security-misc/block-bluetooth
 create mode 100755 bin/disabled-module-by-security-misc/block-cdrom
 create mode 100755 bin/disabled-module-by-security-misc/block-filesys
 create mode 100755 bin/disabled-module-by-security-misc/block-firewire
 create mode 100755 bin/disabled-module-by-security-misc/block-intelme
 create mode 100755 bin/disabled-module-by-security-misc/block-msr
 create mode 100755 bin/disabled-module-by-security-misc/block-netfilesys
 create mode 100755 bin/disabled-module-by-security-misc/block-network
 create mode 100755 bin/disabled-module-by-security-misc/block-thunderbolt
 create mode 100755 bin/disabled-module-by-security-misc/block-vivid

diff --git a/bin/disabled-module-by-security-misc/block-bluetooth b/bin/disabled-module-by-security-misc/block-bluetooth
new file mode 100755
index 0000000..e708783
--- /dev/null
+++ b/bin/disabled-module-by-security-misc/block-bluetooth
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
+
+echo "$0: ERROR: This bluetooth kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
+
+exit 1
diff --git a/bin/disabled-module-by-security-misc/block-cdrom b/bin/disabled-module-by-security-misc/block-cdrom
new file mode 100755
index 0000000..5057e32
--- /dev/null
+++ b/bin/disabled-module-by-security-misc/block-cdrom
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
+
+echo "$0: ERROR: This CD-ROM kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
+
+exit 1
diff --git a/bin/disabled-module-by-security-misc/block-filesys b/bin/disabled-module-by-security-misc/block-filesys
new file mode 100755
index 0000000..9050a8c
--- /dev/null
+++ b/bin/disabled-module-by-security-misc/block-filesys
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
+
+echo "$0: ERROR: This file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
+
+exit 1
diff --git a/bin/disabled-module-by-security-misc/block-firewire b/bin/disabled-module-by-security-misc/block-firewire
new file mode 100755
index 0000000..5aa44e3
--- /dev/null
+++ b/bin/disabled-module-by-security-misc/block-firewire
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
+
+echo "$0: ERROR: This firewire kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
+
+exit 1
diff --git a/bin/disabled-module-by-security-misc/block-intelme b/bin/disabled-module-by-security-misc/block-intelme
new file mode 100755
index 0000000..9c8c96c
--- /dev/null
+++ b/bin/disabled-module-by-security-misc/block-intelme
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
+
+echo "$0: ERROR: This Intel Management Engine (ME) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
+
+exit 1
diff --git a/bin/disabled-module-by-security-misc/block-msr b/bin/disabled-module-by-security-misc/block-msr
new file mode 100755
index 0000000..3cf3937
--- /dev/null
+++ b/bin/disabled-module-by-security-misc/block-msr
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
+
+echo "$0: ERROR: This CPU MSR kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
+
+exit 1
diff --git a/bin/disabled-module-by-security-misc/block-netfilesys b/bin/disabled-module-by-security-misc/block-netfilesys
new file mode 100755
index 0000000..0dc5672
--- /dev/null
+++ b/bin/disabled-module-by-security-misc/block-netfilesys
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
+
+echo "$0: ERROR: This network file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
+
+exit 1
diff --git a/bin/disabled-module-by-security-misc/block-network b/bin/disabled-module-by-security-misc/block-network
new file mode 100755
index 0000000..7cb3041
--- /dev/null
+++ b/bin/disabled-module-by-security-misc/block-network
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
+
+echo "$0: ERROR: This network protocol kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
+
+exit 1
diff --git a/bin/disabled-module-by-security-misc/block-thunderbolt b/bin/disabled-module-by-security-misc/block-thunderbolt
new file mode 100755
index 0000000..bfb52e1
--- /dev/null
+++ b/bin/disabled-module-by-security-misc/block-thunderbolt
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
+
+echo "$0: ERROR: This thunderbolt kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
+
+exit 1
diff --git a/bin/disabled-module-by-security-misc/block-vivid b/bin/disabled-module-by-security-misc/block-vivid
new file mode 100755
index 0000000..45c14bd
--- /dev/null
+++ b/bin/disabled-module-by-security-misc/block-vivid
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
+
+echo "$0: ERROR: This vivid kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
+
+exit 1
diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf
index b6c8424..fa219bf 100644
--- a/etc/modprobe.d/30_security-misc.conf
+++ b/etc/modprobe.d/30_security-misc.conf
@@ -11,77 +11,77 @@ options nf_conntrack nf_conntrack_helper=0
 
 ## Disable bluetooth to reduce attack surface due to extended history of security vulnerabilities
 ## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
-install bluetooth /bin/disabled-by-security-misc
-install btusb /bin/disabled-by-security-misc
+install bluetooth /bin/disabled-module-by-security-misc/block-bluetooth
+install btusb /bin/disabled-module-by-security-misc/block-bluetooth
 
 ## Disable thunderbolt and firewire modules to prevent some DMA attacks
-install thunderbolt /bin/disabled-by-security-misc
-install firewire-core /bin/disabled-by-security-misc
-install firewire_core /bin/disabled-by-security-misc
-install firewire-ohci /bin/disabled-by-security-misc
-install firewire_ohci /bin/disabled-by-security-misc
-install firewire_sbp2 /bin/disabled-by-security-misc
-install firewire-sbp2 /bin/disabled-by-security-misc
-install ohci1394 /bin/disabled-by-security-misc
-install sbp2 /bin/disabled-by-security-misc
-install dv1394 /bin/disabled-by-security-misc
-install raw1394 /bin/disabled-by-security-misc
-install video1394 /bin/disabled-by-security-misc
+install thunderbolt /bin/disabled-module-by-security-misc/block-thunderbolt
+install firewire-core /bin/disabled-module-by-security-misc/block-firewire
+install firewire_core /bin/disabled-module-by-security-misc/block-firewire
+install firewire-ohci /bin/disabled-module-by-security-misc/block-firewire
+install firewire_ohci /bin/disabled-module-by-security-misc/block-firewire
+install firewire_sbp2 /bin/disabled-module-by-security-misc/block-firewire
+install firewire-sbp2 /bin/disabled-module-by-security-misc/block-firewire
+install ohci1394 /bin/disabled-module-by-security-misc/block-firewire
+install sbp2 /bin/disabled-module-by-security-misc/block-firewire
+install dv1394 /bin/disabled-module-by-security-misc/block-firewire
+install raw1394 /bin/disabled-module-by-security-misc/block-firewire
+install video1394 /bin/disabled-module-by-security-misc/block-firewire
 
 ## Disable CPU MSRs as they can be abused to write to arbitrary memory.
 ## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode
-install msr /bin/disabled-by-security-misc
+install msr /bin/disabled-module-by-security-misc/block-msr
 
 ## Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties.
 ## Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these.
 ## > Debian ships a long list of modules for wide support of devices, filesystems, protocols. Some of these modules have a pretty bad security track record, and some of those are simply not used by most of our users.
 ## > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record.
-install dccp /bin/disabled-by-security-misc
-install sctp /bin/disabled-by-security-misc
-install rds /bin/disabled-by-security-misc
-install tipc /bin/disabled-by-security-misc
-install n-hdlc /bin/disabled-by-security-misc
-install ax25 /bin/disabled-by-security-misc
-install netrom /bin/disabled-by-security-misc
-install x25 /bin/disabled-by-security-misc
-install rose /bin/disabled-by-security-misc
-install decnet /bin/disabled-by-security-misc
-install econet /bin/disabled-by-security-misc
-install af_802154 /bin/disabled-by-security-misc
-install ipx /bin/disabled-by-security-misc
-install appletalk /bin/disabled-by-security-misc
-install psnap /bin/disabled-by-security-misc
-install p8023 /bin/disabled-by-security-misc
-install p8022 /bin/disabled-by-security-misc
-install can /bin/disabled-by-security-misc
-install atm /bin/disabled-by-security-misc
+install dccp /bin/disabled-module-by-security-misc/block-network
+install sctp /bin/disabled-module-by-security-misc/block-network
+install rds /bin/disabled-module-by-security-misc/block-network
+install tipc /bin/disabled-module-by-security-misc/block-network
+install n-hdlc /bin/disabled-module-by-security-misc/block-network
+install ax25 /bin/disabled-module-by-security-misc/block-network
+install netrom /bin/disabled-module-by-security-misc/block-network
+install x25 /bin/disabled-module-by-security-misc/block-network
+install rose /bin/disabled-module-by-security-misc/block-network
+install decnet /bin/disabled-module-by-security-misc/block-network
+install econet /bin/disabled-module-by-security-misc/block-network
+install af_802154 /bin/disabled-module-by-security-misc/block-network
+install ipx /bin/disabled-module-by-security-misc/block-network
+install appletalk /bin/disabled-module-by-security-misc/block-network
+install psnap /bin/disabled-module-by-security-misc/block-network
+install p8023 /bin/disabled-module-by-security-misc/block-network
+install p8022 /bin/disabled-module-by-security-misc/block-network
+install can /bin/disabled-module-by-security-misc/block-network
+install atm /bin/disabled-module-by-security-misc/block-network
 
 ## Disable uncommon file systems to reduce attack surface
-install cramfs /bin/disabled-by-security-misc
-install freevxfs /bin/disabled-by-security-misc
-install jffs2 /bin/disabled-by-security-misc
-install hfs /bin/disabled-by-security-misc
-install hfsplus /bin/disabled-by-security-misc
-install udf /bin/disabled-by-security-misc
+install cramfs /bin/disabled-module-by-security-misc/block-filesys
+install freevxfs /bin/disabled-module-by-security-misc/block-filesys
+install jffs2 /bin/disabled-module-by-security-misc/block-filesys
+install hfs /bin/disabled-module-by-security-misc/block-filesys
+install hfsplus /bin/disabled-module-by-security-misc/block-filesys
+install udf /bin/disabled-module-by-security-misc/block-filesys
 
 ## Disable uncommon network file systems to reduce attack surface
-install cifs /bin/disabled-by-security-misc
-install nfs /bin/disabled-by-security-misc
-install nfsv3 /bin/disabled-by-security-misc
-install nfsv4 /bin/disabled-by-security-misc
-install ksmbd /bin/disabled-by-security-misc
-install gfs2 /bin/disabled-by-security-misc
+install cifs /bin/disabled-module-by-security-misc/block-netfilesys
+install nfs /bin/disabled-module-by-security-misc/block-netfilesys
+install nfsv3 /bin/disabled-module-by-security-misc/block-netfilesys
+install nfsv4 /bin/disabled-module-by-security-misc/block-netfilesys
+install ksmbd /bin/disabled-module-by-security-misc/block-netfilesys
+install gfs2 /bin/disabled-module-by-security-misc/block-netfilesys
 
 ## Disables the vivid kernel module as it's only required for testing and has been the cause of multiple vulnerabilities
 ## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233
 ## https://www.openwall.com/lists/oss-security/2019/11/02/1
 ## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475
-install vivid /bin/disabled-by-security-misc
+install vivid /bin/disabled-module-by-security-misc/block-vivid
 
 ## Disable Intel Management Engine (ME) interface with the OS
 ## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html
-install mei /bin/disabled-by-security-misc
-install mei-me /bin/disabled-by-security-misc
+install mei /bin/disabled-module-by-security-misc/block-intelme
+install mei-me /bin/disabled-module-by-security-misc/block-intelme
 
 ## Blacklist automatic loading of the Atheros 5K RF MACs madwifi driver
 ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco
@@ -139,7 +139,7 @@ blacklist udlfb
 ## Disable CD-ROM devices
 ## https://nvd.nist.gov/vuln/detail/CVE-2018-11506
 ## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31
-#install cdrom /bin/disabled-by-security-misc
-#install sr_mod /bin/disabled-by-security-misc
+#install cdrom /bin/disabled-module-by-security-misc/block-cdrom
+#install sr_mod /bin/disabled-module-by-security-misc/block-cdrom
 blacklist cdrom
 blacklist sr_mod

From fe0cc1089086273794bd6b54df3528ff78c10f6a Mon Sep 17 00:00:00 2001
From: Raja Grewal <rg_public@proton.me>
Date: Tue, 12 Jul 2022 17:18:47 +1000
Subject: [PATCH 24/27] Updated README.md

---
 README.md | 34 ++++++++++++++++++----------------
 1 file changed, 18 insertions(+), 16 deletions(-)

diff --git a/README.md b/README.md
index 039c9c4..73428f2 100644
--- a/README.md
+++ b/README.md
@@ -88,15 +88,24 @@ disabled.
 
 * IOMMU is enabled to prevent DMA attacks.
 
-### Blacklisted kernel modules
+### Disables and blacklists kernel modules
 
-Certain kernel modules are blacklisted to reduce attack surface via the
+Certain kernel modules are disabled and blacklisted by default to reduce attack surface via the
 `/etc/modprobe.d/30_security-misc.conf` configuration file.
 
 * Deactivates Netfilter's connection tracking helper - this module
 increases kernel attack surface by enabling superfluous functionality
 such as IRC parsing in the kernel. Hence, this feature is disabled.
 
+* Bluetooth is disabled to reduce attack surface. Bluetooth has
+a lengthy history of security concerns.
+
+* Thunderbolt and numerous FireWire kernel modules are also disabled as they are
+often vulnerable to DMA attacks.
+
+* The MSR kernel module is disabled to prevent CPU MSRs from being
+abused to write to arbitrary memory.
+
 * Uncommon network protocols are blacklisted. This includes:
 
  DCCP - Datagram Congestion Control Protocol
@@ -137,23 +146,16 @@ such as IRC parsing in the kernel. Hence, this feature is disabled.
 
  ATM
 
-* Bluetooth is also blacklisted to reduce attack surface. Bluetooth has
-a history of security concerns.
-
-* The Thunderbolt and FireWire kernel modules are blacklisted as they are
-often vulnerable to DMA attacks.
-
-* The vivid kernel module is only required for testing and has been the cause
-of multiple vulnerabilities so it is blacklisted.
-
-* The MSR kernel module is blacklisted to prevent CPU MSRs from being
-abused to write to arbitrary memory.
-
 * Disables a large array of uncommon file systems and network file systems that reduces the attack surface especially against legacy approaches.
 
-* Provides some blocking of the interface between the [Intel Management Engine (ME)](https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html) and the OS.
+* The vivid kernel module is only required for testing and has been the cause
+of multiple vulnerabilities so it is disabled.
 
-* Not enabled by default yet, comment only: Disables the use of CD-ROM devices by default.
+* Provides some disabling of the interface between the [Intel Management Engine (ME)](https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html) and the OS.
+
+* Incorporates much of [Ubuntu's](https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d?h=ubuntu/disco) default blacklist of modules to be blocked from automatically loading. However, they are  still permitted to load.
+
+* Blocks automatic loading of the modules needed to use of CD-ROM devices by default. Not completely disabled yet.
 
 ### Other
 

From 24d6a93eacf5b41cfb9133471049776a16a07b03 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed, 13 Jul 2022 08:28:34 -0400
Subject: [PATCH 25/27] bumped changelog version

---
 changelog.upstream | 52 ++++++++++++++++++++++++++++++++++++++++++++++
 debian/changelog   |  6 ++++++
 2 files changed, 58 insertions(+)

diff --git a/changelog.upstream b/changelog.upstream
index 16be21f..cd0a0fc 100644
--- a/changelog.upstream
+++ b/changelog.upstream
@@ -1,3 +1,55 @@
+commit 8f31e5d1d172eb117bde63702f63081da182d5c5
+Merge: 6aa9a94 c410890
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Wed Jul 13 07:26:58 2022 -0400
+
+    Merge remote-tracking branch 'github-kicksecure/master'
+
+commit c410890a8ade6d4be13dc99a7003f03ebded8153
+Merge: 6aa9a94 fe0cc10
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Wed Jul 13 07:24:12 2022 -0400
+
+    Merge pull request #110 from raja-grewal/master
+    
+    Incorporated Ubuntu’s kernel module blacklists and more verbose errors
+
+commit fe0cc1089086273794bd6b54df3528ff78c10f6a
+Author: Raja Grewal <rg_public@proton.me>
+Date:   Tue Jul 12 17:18:47 2022 +1000
+
+    Updated README.md
+
+commit 48089e5ba43b0b72449f888b98b63119ed57e2fd
+Author: Raja Grewal <rg_public@proton.me>
+Date:   Tue Jul 12 17:02:12 2022 +1000
+
+    More verbose kernel module blocking error logs
+
+commit 40ec791774f2a6ae7d42ccf2bfbe4a98a9963f08
+Author: Raja Grewal <rg_public@proton.me>
+Date:   Tue Jul 12 16:58:16 2022 +1000
+
+    Updated comments
+
+commit ef1ef9917d896f1cd837f399def6a75704e9bfd2
+Author: Raja Grewal <rg_public@proton.me>
+Date:   Sun Jul 10 04:53:25 2022 +1000
+
+    Blacklist automatic loading of CD-ROM modules
+
+commit 61ef9bd59f9ff39c140f782ff5b41d0a3c6d97bc
+Author: Raja Grewal <rg_public@proton.me>
+Date:   Sun Jul 10 04:52:00 2022 +1000
+
+    Incorporated Ubuntu’s kernel module blacklists
+
+commit 6aa9a9472f10d4d6270dd59fbcd94d9001aca9e6
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Sat Jul 9 11:42:24 2022 -0400
+
+    bumped changelog version
+
 commit 3b844eaab25fecf90292c88291be77abf0be694c
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Sat Jul 9 11:42:11 2022 -0400
diff --git a/debian/changelog b/debian/changelog
index e1fa1be..d6601a5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+security-misc (3:25.3-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@whonix.org>  Wed, 13 Jul 2022 12:28:34 +0000
+
 security-misc (3:25.2-1) unstable; urgency=medium
 
   * New upstream version (local package).

From a72bbb1883613ee56be29949c153e0edb2d72a29 Mon Sep 17 00:00:00 2001
From: Raja Grewal <rg_public@proton.me>
Date: Wed, 13 Jul 2022 23:42:13 +1000
Subject: [PATCH 26/27] Corrected kerenl module disabling

---
 ...th => disabled-bluetooth-by-security-misc} |   0
 bin/disabled-by-security-misc                 |  10 --
 ...-cdrom => disabled-cdrom-by-security-misc} |   0
 ...esys => disabled-filesys-by-security-misc} |   0
 ...ire => disabled-firewire-by-security-misc} |   0
 ...elme => disabled-intelme-by-security-misc} |   0
 ...lock-msr => disabled-msr-by-security-misc} |   0
 ...s => disabled-netfilesys-by-security-misc} |   0
 ...work => disabled-network-by-security-misc} |   0
 ... => disabled-thunderbolt-by-security-misc} |   0
 ...-vivid => disabled-vivid-by-security-misc} |   0
 etc/modprobe.d/30_security-misc.conf          | 102 +++++++++---------
 12 files changed, 51 insertions(+), 61 deletions(-)
 rename bin/{disabled-module-by-security-misc/block-bluetooth => disabled-bluetooth-by-security-misc} (100%)
 delete mode 100755 bin/disabled-by-security-misc
 rename bin/{disabled-module-by-security-misc/block-cdrom => disabled-cdrom-by-security-misc} (100%)
 rename bin/{disabled-module-by-security-misc/block-filesys => disabled-filesys-by-security-misc} (100%)
 rename bin/{disabled-module-by-security-misc/block-firewire => disabled-firewire-by-security-misc} (100%)
 rename bin/{disabled-module-by-security-misc/block-intelme => disabled-intelme-by-security-misc} (100%)
 rename bin/{disabled-module-by-security-misc/block-msr => disabled-msr-by-security-misc} (100%)
 rename bin/{disabled-module-by-security-misc/block-netfilesys => disabled-netfilesys-by-security-misc} (100%)
 rename bin/{disabled-module-by-security-misc/block-network => disabled-network-by-security-misc} (100%)
 rename bin/{disabled-module-by-security-misc/block-thunderbolt => disabled-thunderbolt-by-security-misc} (100%)
 rename bin/{disabled-module-by-security-misc/block-vivid => disabled-vivid-by-security-misc} (100%)

diff --git a/bin/disabled-module-by-security-misc/block-bluetooth b/bin/disabled-bluetooth-by-security-misc
similarity index 100%
rename from bin/disabled-module-by-security-misc/block-bluetooth
rename to bin/disabled-bluetooth-by-security-misc
diff --git a/bin/disabled-by-security-misc b/bin/disabled-by-security-misc
deleted file mode 100755
index 9d11c80..0000000
--- a/bin/disabled-by-security-misc
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/bin/bash
-
-## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
-## See the file COPYING for copying conditions.
-
-## Alerts the user that a kernel module failed to load due to it being blacklisted by default.
-
-echo "$0: ERROR: This kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
-
-exit 1
diff --git a/bin/disabled-module-by-security-misc/block-cdrom b/bin/disabled-cdrom-by-security-misc
similarity index 100%
rename from bin/disabled-module-by-security-misc/block-cdrom
rename to bin/disabled-cdrom-by-security-misc
diff --git a/bin/disabled-module-by-security-misc/block-filesys b/bin/disabled-filesys-by-security-misc
similarity index 100%
rename from bin/disabled-module-by-security-misc/block-filesys
rename to bin/disabled-filesys-by-security-misc
diff --git a/bin/disabled-module-by-security-misc/block-firewire b/bin/disabled-firewire-by-security-misc
similarity index 100%
rename from bin/disabled-module-by-security-misc/block-firewire
rename to bin/disabled-firewire-by-security-misc
diff --git a/bin/disabled-module-by-security-misc/block-intelme b/bin/disabled-intelme-by-security-misc
similarity index 100%
rename from bin/disabled-module-by-security-misc/block-intelme
rename to bin/disabled-intelme-by-security-misc
diff --git a/bin/disabled-module-by-security-misc/block-msr b/bin/disabled-msr-by-security-misc
similarity index 100%
rename from bin/disabled-module-by-security-misc/block-msr
rename to bin/disabled-msr-by-security-misc
diff --git a/bin/disabled-module-by-security-misc/block-netfilesys b/bin/disabled-netfilesys-by-security-misc
similarity index 100%
rename from bin/disabled-module-by-security-misc/block-netfilesys
rename to bin/disabled-netfilesys-by-security-misc
diff --git a/bin/disabled-module-by-security-misc/block-network b/bin/disabled-network-by-security-misc
similarity index 100%
rename from bin/disabled-module-by-security-misc/block-network
rename to bin/disabled-network-by-security-misc
diff --git a/bin/disabled-module-by-security-misc/block-thunderbolt b/bin/disabled-thunderbolt-by-security-misc
similarity index 100%
rename from bin/disabled-module-by-security-misc/block-thunderbolt
rename to bin/disabled-thunderbolt-by-security-misc
diff --git a/bin/disabled-module-by-security-misc/block-vivid b/bin/disabled-vivid-by-security-misc
similarity index 100%
rename from bin/disabled-module-by-security-misc/block-vivid
rename to bin/disabled-vivid-by-security-misc
diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf
index fa219bf..48d5b25 100644
--- a/etc/modprobe.d/30_security-misc.conf
+++ b/etc/modprobe.d/30_security-misc.conf
@@ -11,77 +11,77 @@ options nf_conntrack nf_conntrack_helper=0
 
 ## Disable bluetooth to reduce attack surface due to extended history of security vulnerabilities
 ## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
-install bluetooth /bin/disabled-module-by-security-misc/block-bluetooth
-install btusb /bin/disabled-module-by-security-misc/block-bluetooth
+install bluetooth /bin/disabled-bluetooth-by-security-misc
+install btusb /bin/disabled-bluetooth-by-security-misc
 
 ## Disable thunderbolt and firewire modules to prevent some DMA attacks
-install thunderbolt /bin/disabled-module-by-security-misc/block-thunderbolt
-install firewire-core /bin/disabled-module-by-security-misc/block-firewire
-install firewire_core /bin/disabled-module-by-security-misc/block-firewire
-install firewire-ohci /bin/disabled-module-by-security-misc/block-firewire
-install firewire_ohci /bin/disabled-module-by-security-misc/block-firewire
-install firewire_sbp2 /bin/disabled-module-by-security-misc/block-firewire
-install firewire-sbp2 /bin/disabled-module-by-security-misc/block-firewire
-install ohci1394 /bin/disabled-module-by-security-misc/block-firewire
-install sbp2 /bin/disabled-module-by-security-misc/block-firewire
-install dv1394 /bin/disabled-module-by-security-misc/block-firewire
-install raw1394 /bin/disabled-module-by-security-misc/block-firewire
-install video1394 /bin/disabled-module-by-security-misc/block-firewire
+install thunderbolt /bin/disabled-thunderbolt-by-security-misc
+install firewire-core /bin/disabled-firewire-by-security-misc
+install firewire_core /bin/disabled-firewire-by-security-misc
+install firewire-ohci /bin/disabled-firewire-by-security-misc
+install firewire_ohci /bin/disabled-firewire-by-security-misc
+install firewire_sbp2 /bin/disabled-firewire-by-security-misc
+install firewire-sbp2 /bin/disabled-firewire-by-security-misc
+install ohci1394 /bin/disabled-firewire-by-security-misc
+install sbp2 /bin/disabled-firewire-by-security-misc
+install dv1394 /bin/disabled-firewire-by-security-misc
+install raw1394 /bin/disabled-firewire-by-security-misc
+install video1394 /bin/disabled-firewire-by-security-misc
 
 ## Disable CPU MSRs as they can be abused to write to arbitrary memory.
 ## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode
-install msr /bin/disabled-module-by-security-misc/block-msr
+install msr /bin/disabled-msr-by-security-misc
 
 ## Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties.
 ## Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these.
 ## > Debian ships a long list of modules for wide support of devices, filesystems, protocols. Some of these modules have a pretty bad security track record, and some of those are simply not used by most of our users.
 ## > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record.
-install dccp /bin/disabled-module-by-security-misc/block-network
-install sctp /bin/disabled-module-by-security-misc/block-network
-install rds /bin/disabled-module-by-security-misc/block-network
-install tipc /bin/disabled-module-by-security-misc/block-network
-install n-hdlc /bin/disabled-module-by-security-misc/block-network
-install ax25 /bin/disabled-module-by-security-misc/block-network
-install netrom /bin/disabled-module-by-security-misc/block-network
-install x25 /bin/disabled-module-by-security-misc/block-network
-install rose /bin/disabled-module-by-security-misc/block-network
-install decnet /bin/disabled-module-by-security-misc/block-network
-install econet /bin/disabled-module-by-security-misc/block-network
-install af_802154 /bin/disabled-module-by-security-misc/block-network
-install ipx /bin/disabled-module-by-security-misc/block-network
-install appletalk /bin/disabled-module-by-security-misc/block-network
-install psnap /bin/disabled-module-by-security-misc/block-network
-install p8023 /bin/disabled-module-by-security-misc/block-network
-install p8022 /bin/disabled-module-by-security-misc/block-network
-install can /bin/disabled-module-by-security-misc/block-network
-install atm /bin/disabled-module-by-security-misc/block-network
+install dccp /bin/disabled-network-by-security-misc
+install sctp /bin/disabled-network-by-security-misc
+install rds /bin/disabled-network-by-security-misc
+install tipc /bin/disabled-network-by-security-misc
+install n-hdlc /bin/disabled-network-by-security-misc
+install ax25 /bin/disabled-network-by-security-misc
+install netrom /bin/disabled-network-by-security-misc
+install x25 /bin/disabled-network-by-security-misc
+install rose /bin/disabled-network-by-security-misc
+install decnet /bin/disabled-network-by-security-misc
+install econet /bin/disabled-network-by-security-misc
+install af_802154 /bin/disabled-network-by-security-misc
+install ipx /bin/disabled-network-by-security-misc
+install appletalk /bin/disabled-network-by-security-misc
+install psnap /bin/disabled-network-by-security-misc
+install p8023 /bin/disabled-network-by-security-misc
+install p8022 /bin/disabled-network-by-security-misc
+install can /bin/disabled-network-by-security-misc
+install atm /bin/disabled-network-by-security-misc
 
 ## Disable uncommon file systems to reduce attack surface
-install cramfs /bin/disabled-module-by-security-misc/block-filesys
-install freevxfs /bin/disabled-module-by-security-misc/block-filesys
-install jffs2 /bin/disabled-module-by-security-misc/block-filesys
-install hfs /bin/disabled-module-by-security-misc/block-filesys
-install hfsplus /bin/disabled-module-by-security-misc/block-filesys
-install udf /bin/disabled-module-by-security-misc/block-filesys
+install cramfs /bin/disabled-filesys-by-security-misc
+install freevxfs /bin/disabled-filesys-by-security-misc
+install jffs2 /bin/disabled-filesys-by-security-misc
+install hfs /bin/disabled-filesys-by-security-misc
+install hfsplus /bin/disabled-filesys-by-security-misc
+install udf /bin/disabled-filesys-by-security-misc
 
 ## Disable uncommon network file systems to reduce attack surface
-install cifs /bin/disabled-module-by-security-misc/block-netfilesys
-install nfs /bin/disabled-module-by-security-misc/block-netfilesys
-install nfsv3 /bin/disabled-module-by-security-misc/block-netfilesys
-install nfsv4 /bin/disabled-module-by-security-misc/block-netfilesys
-install ksmbd /bin/disabled-module-by-security-misc/block-netfilesys
-install gfs2 /bin/disabled-module-by-security-misc/block-netfilesys
+install cifs /bin/disabled-netfilesys-by-security-misc
+install nfs /bin/disabled-netfilesys-by-security-misc
+install nfsv3 /bin/disabled-netfilesys-by-security-misc
+install nfsv4 /bin/disabled-netfilesys-by-security-misc
+install ksmbd /bin/disabled-netfilesys-by-security-misc
+install gfs2 /bin/disabled-netfilesys-by-security-misc
 
 ## Disables the vivid kernel module as it's only required for testing and has been the cause of multiple vulnerabilities
 ## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233
 ## https://www.openwall.com/lists/oss-security/2019/11/02/1
 ## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475
-install vivid /bin/disabled-module-by-security-misc/block-vivid
+install vivid /bin/disabled-vivid-by-security-misc
 
 ## Disable Intel Management Engine (ME) interface with the OS
 ## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html
-install mei /bin/disabled-module-by-security-misc/block-intelme
-install mei-me /bin/disabled-module-by-security-misc/block-intelme
+install mei /bin/disabled-intelme-by-security-misc
+install mei-me /bin/disabled-intelme-by-security-misc
 
 ## Blacklist automatic loading of the Atheros 5K RF MACs madwifi driver
 ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco
@@ -139,7 +139,7 @@ blacklist udlfb
 ## Disable CD-ROM devices
 ## https://nvd.nist.gov/vuln/detail/CVE-2018-11506
 ## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31
-#install cdrom /bin/disabled-module-by-security-misc/block-cdrom
-#install sr_mod /bin/disabled-module-by-security-misc/block-cdrom
+#install cdrom /bin/disabled-cdrom-by-security-misc
+#install sr_mod /bin/disabled-cdrom-by-security-misc
 blacklist cdrom
 blacklist sr_mod

From 465775c9dc1b97c98a5470acaffabb103ea7239f Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Sat, 16 Jul 2022 08:00:16 -0400
Subject: [PATCH 27/27] bumped changelog version

---
 changelog.upstream | 28 ++++++++++++++++++++++++++++
 debian/changelog   |  6 ++++++
 2 files changed, 34 insertions(+)

diff --git a/changelog.upstream b/changelog.upstream
index cd0a0fc..ba8c92d 100644
--- a/changelog.upstream
+++ b/changelog.upstream
@@ -1,3 +1,31 @@
+commit 1fafb5f53bbec57812f535e79bfb475628cc58e3
+Merge: 24d6a93 27aa523
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Fri Jul 15 08:09:16 2022 -0400
+
+    Merge remote-tracking branch 'github-kicksecure/master'
+
+commit 27aa5231e2d1dafd89ba19c8d6becf461e781605
+Merge: 24d6a93 a72bbb1
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Fri Jul 15 08:06:08 2022 -0400
+
+    Merge pull request #112 from raja-grewal/blacklist
+    
+    Corrected kernel module disabling
+
+commit a72bbb1883613ee56be29949c153e0edb2d72a29
+Author: Raja Grewal <rg_public@proton.me>
+Date:   Wed Jul 13 23:42:13 2022 +1000
+
+    Corrected kerenl module disabling
+
+commit 24d6a93eacf5b41cfb9133471049776a16a07b03
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Wed Jul 13 08:28:34 2022 -0400
+
+    bumped changelog version
+
 commit 8f31e5d1d172eb117bde63702f63081da182d5c5
 Merge: 6aa9a94 c410890
 Author: Patrick Schleizer <adrelanos@whonix.org>
diff --git a/debian/changelog b/debian/changelog
index d6601a5..ee79eb0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+security-misc (3:25.4-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@whonix.org>  Sat, 16 Jul 2022 12:00:16 +0000
+
 security-misc (3:25.3-1) unstable; urgency=medium
 
   * New upstream version (local package).