diff --git a/README.md b/README.md index 5e029c8..3a9c552 100644 --- a/README.md +++ b/README.md @@ -190,9 +190,6 @@ modules from automatically starting. - CD-ROM/DVD: Blacklist modules required for CD-ROM/DVD devices. -- Framebuffer Drivers: Blacklisted as they are well-known to be buggy, cause - kernel panics, and are generally only used by legacy devices. - - Miscellaneous: Blacklist an assortment of other modules to prevent them from automatically loading. @@ -210,6 +207,9 @@ disabling should first be blacklisted for a suitable amount of time. - FireWire (IEEE 1394): Disabled as they are often vulnerable to DMA attacks. +- Framebuffer Drivers: Disabled as they are well-known to be buggy, cause + kernel panics, and are generally only used by legacy devices. + - GPS: Disable GPS-related modules such as those required for Global Navigation Satellite Systems (GNSS). diff --git a/etc/modprobe.d/30_security-misc_blacklist.conf b/etc/modprobe.d/30_security-misc_blacklist.conf index c35af0b..4f1b1be 100644 --- a/etc/modprobe.d/30_security-misc_blacklist.conf +++ b/etc/modprobe.d/30_security-misc_blacklist.conf @@ -21,39 +21,6 @@ blacklist sr_mod #install cdrom /usr/bin/disabled-cdrom-by-security-misc #install sr_mod /usr/bin/disabled-cdrom-by-security-misc -## Framebuffer Drivers: -## -## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco -## -blacklist aty128fb -blacklist atyfb -blacklist cirrusfb -blacklist cyber2000fb -blacklist cyblafb -blacklist gx1fb -blacklist hgafb -blacklist i810fb -blacklist intelfb -blacklist kyrofb -blacklist lxfb -blacklist matroxfb_bases -blacklist neofb -blacklist nvidiafb -blacklist pm2fb -blacklist radeonfb -blacklist rivafb -blacklist s1d13xxxfb -blacklist savagefb -blacklist sisfb -blacklist sstfb -blacklist tdfxfb -blacklist tridentfb -blacklist vesafb -blacklist vfb -blacklist viafb -blacklist vt8623fb -blacklist udlfb - ## Miscellaneous: ## ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index d2408af..7ce6190 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -70,6 +70,41 @@ install raw1394 /usr/bin/disabled-firewire-by-security-misc install sbp2 /usr/bin/disabled-firewire-by-security-misc install video1394 /usr/bin/disabled-firewire-by-security-misc +## Framebuffer Drivers: +## Known to be buggy, cause kernel panics, and are generally only used by legacy devices. +## These were all previously blacklisted. +## +## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco +## +install aty128fb /usr/bin/disabled-framebuffer-by-security-misc +install atyfb /usr/bin/disabled-framebuffer-by-security-misc +install cirrusfb /usr/bin/disabled-framebuffer-by-security-misc +install cyber2000fb /usr/bin/disabled-framebuffer-by-security-misc +install cyblafb /usr/bin/disabled-framebuffer-by-security-misc +install gx1fb /usr/bin/disabled-framebuffer-by-security-misc +install hgafb /usr/bin/disabled-framebuffer-by-security-misc +install i810fb /usr/bin/disabled-framebuffer-by-security-misc +install intelfb /usr/bin/disabled-framebuffer-by-security-misc +install kyrofb /usr/bin/disabled-framebuffer-by-security-misc +install lxfb /usr/bin/disabled-framebuffer-by-security-misc +install matroxfb_bases /usr/bin/disabled-framebuffer-by-security-misc +install neofb /usr/bin/disabled-framebuffer-by-security-misc +install nvidiafb /usr/bin/disabled-framebuffer-by-security-misc +install pm2fb /usr/bin/disabled-framebuffer-by-security-misc +install radeonfb /usr/bin/disabled-framebuffer-by-security-misc +install rivafb /usr/bin/disabled-framebuffer-by-security-misc +install s1d13xxxfb /usr/bin/disabled-framebuffer-by-security-misc +install savagefb /usr/bin/disabled-framebuffer-by-security-misc +install sisfb /usr/bin/disabled-framebuffer-by-security-misc +install sstfb /usr/bin/disabled-framebuffer-by-security-misc +install tdfxfb /usr/bin/disabled-framebuffer-by-security-misc +install tridentfb /usr/bin/disabled-framebuffer-by-security-misc +install vesafb /usr/bin/disabled-framebuffer-by-security-misc +install vfb /usr/bin/disabled-framebuffer-by-security-misc +install viafb /usr/bin/disabled-framebuffer-by-security-misc +install vt8623fb /usr/bin/disabled-framebuffer-by-security-misc +install udlfb /usr/bin/disabled-framebuffer-by-security-misc + ## Global Positioning Systems (GPS): ## Disable GPS-related modules like GNSS (Global Navigation Satellite System). ## diff --git a/usr/bin/disabled-framebuffer-by-security-misc b/usr/bin/disabled-framebuffer-by-security-misc new file mode 100755 index 0000000..301f869 --- /dev/null +++ b/usr/bin/disabled-framebuffer-by-security-misc @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2024 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Alerts the user that a kernel module failed to load due to it being blacklisted by default. + +echo "$0: ERROR: This framebuffer driver kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 + +exit 1