From eb7eaffba1f437763773b5c7f2b44ef51684ddcd Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Thu, 4 Jul 2019 14:24:44 +0000 Subject: [PATCH 1/3] Blacklist n-hdlc --- etc/modprobe.d/uncommon-network-protocols.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/modprobe.d/uncommon-network-protocols.conf b/etc/modprobe.d/uncommon-network-protocols.conf index 474598a..41da209 100644 --- a/etc/modprobe.d/uncommon-network-protocols.conf +++ b/etc/modprobe.d/uncommon-network-protocols.conf @@ -3,3 +3,4 @@ install dccp /bin/true install sctp /bin/true install rds /bin/true install tipc /bin/true +install n-hdlc /bin/true From 46409be8b664db730113b4495ef69bee0f41c53a Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Thu, 4 Jul 2019 14:25:28 +0000 Subject: [PATCH 2/3] Use install instead of blacklist --- etc/modprobe.d/blacklist-dma.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/etc/modprobe.d/blacklist-dma.conf b/etc/modprobe.d/blacklist-dma.conf index 3e2c7de..3a1485b 100644 --- a/etc/modprobe.d/blacklist-dma.conf +++ b/etc/modprobe.d/blacklist-dma.conf @@ -1,3 +1,3 @@ # Blacklist thunderbolt and firewire to prevent some DMA attacks. -blacklist firewire-core -blacklist thunderbolt +install firewire-core /bin/true +install thunderbolt /bin/true From 8888147e1e1102fa852dce14c3ca1cb91cd1ff3b Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Thu, 4 Jul 2019 14:26:31 +0000 Subject: [PATCH 3/3] Update control --- debian/control | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/control b/debian/control index 068030d..ee8b5af 100644 --- a/debian/control +++ b/debian/control @@ -95,7 +95,7 @@ Description: enhances misc security settings . All mitigations for the MDS vulnerability are enabled. . - DCCP, SCTP, TIPC and RDS are blacklisted as they are rarely used and may have + DCCP, SCTP, TIPC, RDS and HDLC are blacklisted as they are rarely used and may have unknown vulnerabilities. . The kernel logs are restricted to root only.