From d69fe88091c7212a9af86306c797aed40398584b Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 17 Jul 2024 01:08:01 +1000 Subject: [PATCH 1/3] Provide option to disable `uvcvideo` driver --- etc/modprobe.d/30_security-misc_disable.conf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index 97d3840..9e91697 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -193,6 +193,11 @@ install hamradio /usr/bin/disabled-miscellaneous-by-security-misc ## install floppy /usr/bin/disabled-miscellaneous-by-security-misc ## +## USB Video Device Class: +## Disables USB-based video streaming driver for devices like webcams and digital camcorders. +## +#install uvcvideo /usr/bin/disabled-miscellaneous-by-security-misc +## ## Vivid: ## Disables the vivid kernel module since it has been the cause of multiple vulnerabilities. ## From f317aaebab126bafe3cfaef8159bf0820c392c87 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 17 Jul 2024 01:09:02 +1000 Subject: [PATCH 2/3] Disable two network modules These were previously blacklisted for two years in https://github.com/Kicksecure/security-misc/commit/61ef9bd59f9ff39c140f782ff5b41d0a3c6d97bc. --- etc/modprobe.d/30_security-misc_disable.conf | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index 9e91697..b6be29e 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -113,10 +113,12 @@ install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc ## Network Protocols: ## Disables rare and unneeded network protocols that are a common source of unknown vulnerabilities. +## Previously had blacklisted eepro100 and eth1394. ## ## https://tails.boum.org/blueprint/blacklist_modules/ ## https://fedoraproject.org/wiki/Security_Features_Matrix#Blacklist_Rare_Protocols ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-rare-network.conf?h=ubuntu/disco +## https://github.com/Kicksecure/security-misc/pull/234#issuecomment-2230732015 ## install af_802154 /usr/bin/disabled-network-by-security-misc install appletalk /usr/bin/disabled-network-by-security-misc @@ -125,8 +127,8 @@ install ax25 /usr/bin/disabled-network-by-security-misc install decnet /usr/bin/disabled-network-by-security-misc install dccp /usr/bin/disabled-network-by-security-misc install econet /usr/bin/disabled-network-by-security-misc -#install eepro100 /usr/bin/disabled-network-by-security-misc -#install eth1394 /usr/bin/disabled-network-by-security-misc +install eepro100 /usr/bin/disabled-network-by-security-misc +install eth1394 /usr/bin/disabled-network-by-security-misc install ipx /usr/bin/disabled-network-by-security-misc install n-hdlc /usr/bin/disabled-network-by-security-misc install netrom /usr/bin/disabled-network-by-security-misc From a3408990ab439e6edbf8691cf7d65fb16c0d24df Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 17 Jul 2024 15:03:39 +1000 Subject: [PATCH 3/3] Uncomment disabling of already disabled ATM modules --- etc/modprobe.d/30_security-misc_disable.conf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index b6be29e..e278caa 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -141,9 +141,9 @@ install x25 /usr/bin/disabled-network-by-security-misc ## Asynchronous Transfer Mode (ATM): ## install atm /usr/bin/disabled-network-by-security-misc -#install ueagle-atm /usr/bin/disabled-network-by-security-misc -#install usbatm /usr/bin/disabled-network-by-security-misc -#install xusbatm /usr/bin/disabled-network-by-security-misc +install ueagle-atm /usr/bin/disabled-network-by-security-misc +install usbatm /usr/bin/disabled-network-by-security-misc +install xusbatm /usr/bin/disabled-network-by-security-misc ## ## Controller Area Network (CAN) Protocol: ##