criteria for kernel module blacklisting / disabling / Suggestions for kernel modules blacklisted in /etc/modprobe.d/30_security-misc.conf

[MikeHorn-git]

Digital Video Broadcasting

install dvb_core /bin/true # Core module for DVB devices
install dvb_usb_rtl2832u /bin/true # DVB-T USB devices with RTL2832U chipset
install dvb_usb_rtl28xxu /bin/true # DVB-T USB devices with RTL28xx chipset
install dvb_usb_v2 /bin/true # Newer DVB USB framework
install rtl2830 /bin/true # Realtek RTL2830 DVB-T receiver
install rtl2832 /bin/true # Realtek RTL2832 DVB-T receiver
install rtl2832_sdr /bin/true # RTL2832-based SDR devices
install rtl2838 /bin/true # Realtek RTL2838 DVB-T receiver

Point-to-Point Protocols

install ppp_async /bin/true # Point-to-Point Protocol for asynchronous connections
install ppp_deflate /bin/true # Compression module for PPP
install ppp_generic /bin/true # Generic PPP support
install pppoe /bin/true # PPP over Ethernet
install pppox /bin/true # PPP over various transports
install slhc /bin/true # SLIP/PPP compression and decompression

Intel Platform Monitoring Technology Telemetry (Intel-PMT)

install pmt_class /bin/true # Platform Monitoring Telemetry (Intel)
install pmt_telemetry /bin/true # Platform Monitoring Telemetry (Intel)

Network Drivers

install brcm80211 /bin/true # Very old Broadcom wireless driver
install cfg80211 /bin/true # Wireless API for a very old Broadcom device
install eepro100 /bin/true # Very old network driver
install eth1394 /bin/true # Very old network driver
install rtl8187 /bin/true # Realtek RTL8187 wireless LAN driver

Miscellaneous Drivers

install fddi /bin/true # Fiber Distributed Data Interface
install floppy /bin/true
install hamradio /bin/true # Amateur radio protocol
install ib_ipoib /bin/true # InfiniBand over IP
install joydev /bin/true # Joystick support
install lp /bin/true # Printer support for parallel port
install parport /bin/true # Parallel port support
install tr /bin/true # Token Ring protocol
install uvcvideo /bin/true # USB Video Class driver

FileSystem

install jfs /bin/true # IBM's Journaled File System
install reiserfs /bin/true # ReiserFS filesystem
install squashfs /bin/true # SquashFS filesystem

Blacklisted : Make this optional and can be loaded later

blacklist amdgpu
blacklist b43 # Quite old Broadcom wireless driver
blacklist exfat
blacklist iwlwifi # Intel wireless driver
blacklist mac80211 # Printer support for parallel port
blacklist ntfs
blacklist nvidia
blacklist radeon
blacklist usb_storage
blacklist uinput # User-level input driver

[raja-grewal]

Hello, thanks for your suggestions. Many of these seem certainly very actionable.

However. given the number of modules to be disabled, it may take some time to review.

Have you tested all these settings on Kicksecure yourself to ensure none of them cause any breakages for you?

Note: Some discussion may or may not occur on the Whonix forums.

[adrelanos]

Some seem extreme with no clear rationale provided. Such as:

blacklist amdgpu # Make this optionnal

blacklist iwlwifi # Intel wireless driver

[MikeHorn-git]

Thanks for your replies. I edited the post as suggested by @souchikjoardar201.
You right @adrelanos some are extreme like certain ppp, exfat/ntfs if want to be compatible with windows environment etc.
@raja-grewal I gonna try this on kicksecure KVM/Vbox.
I gonna make new post with results in a few days, you will see more clearly.

[MikeHorn-git]

@MikeHorn-git I think the blacklist ones are extreme but as far as PPP and DVB/DVB-T and InfiniBand I'm not sure what issues these would cause if you disabled them.

What is the rational or reasoning behind those (PPP and DVB/DVB-T and InfiniBand) being disabled? Is there certain attacks that leverage those or is it just that they are oudated/old and and unused and could be used for attack surface?

Good question, the second option. Outdated/old and could be used for attack surface.
PPP seems to be the worst suggestion among others, you right about possible issues that would cause.

So I try these with a kicksecure virtualbox. No issues at the moment. What are the tests I could use for more results ?

[MikeHorn-git]

@EclipseBazooka

• I don't have issues. Do you have any suggestions for more advanced tests ?
• These modules are related to live TV.

[adrelanos]

#235 makes me question what the scope for kernel module blacklisting / disabling.

Some criteria is needed such as:

• Rarely used functionality.
• Known security issues.

Please suggest criteria.

[adrelanos]

Maybe good to reconsider the history of /etc/modprobe.d in security-misc. It was based on research / discussions / other distributions.

30_security-misc_conntrack.conf:## https://conntrack-tools.netfilter.org/manual.html
30_security-misc_conntrack.conf:## https://forums.whonix.org/t/disable-conntrack-helper/18917
30_security-misc_disable.conf:## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989
30_security-misc_disable.conf:## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules
30_security-misc_disable.conf:## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
30_security-misc_disable.conf:## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode
30_security-misc_disable.conf:## https://github.com/Kicksecure/security-misc/issues/215
30_security-misc_disable.conf:## https://en.wikipedia.org/wiki/IEEE_1394#Security_issues
30_security-misc_disable.conf:## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html
30_security-misc_disable.conf:## https://tails.boum.org/blueprint/blacklist_modules/
30_security-misc_disable.conf:## https://fedoraproject.org/wiki/Security_Features_Matrix#Blacklist_Rare_Protocols
30_security-misc_disable.conf:## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-rare-network.conf?h=ubuntu/disco
30_security-misc_disable.conf:## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233
30_security-misc_disable.conf:## https://www.openwall.com/lists/oss-security/2019/11/02/1
30_security-misc_disable.conf:## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475
30_security-misc_disable.conf:## https://en.wikipedia.org/wiki/Thunderbolt_(interface)#Security_vulnerabilities
30_security-misc_blacklist.conf:## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989
30_security-misc_blacklist.conf:## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules
30_security-misc_blacklist.conf:## https://nvd.nist.gov/vuln/detail/CVE-2018-11506
30_security-misc_blacklist.conf:## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31
30_security-misc_blacklist.conf:## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco
30_security-misc_blacklist.conf:## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco
30_security-misc_blacklist.conf:## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco

But it seems now we're getting ahead / taking the lead / blacklisting / disabling everything and the kitchen sink without much rationale / error handling.

Will comment in #236 too.

[raja-grewal]

I would agree that some of the discussion has been based on research and other distributions. However, the majority of kernel modules actually disabled have been on the basis attack surface reduction by blocking "obscure/rare/uncommon/legacy" networking protocols and file systems".

See e0aa676, a813e7d, 18d67db, 61ef9bd, ef1ef99, 06f13bb, and many more.

I strongly agree that we should develop some sort of criteria.

[adrelanos]

It needs a rationale. If an incoming incoming network package can result in auto loading a kernel module (such as IRC), which may then be vulnerable, we have a good rationale to block loading it.

Need to consider the code flow. Can a non-root user make a kernel module load and would that widen the attack surface by loading a module which is most likely just legacy? Then we have another good rationale to block loading it.

Blocking obscure file systems is also good because if a device gets connected with a nowadays obscure / unexpected filesystem.

A good reason to block a kernel module is also if security researcher(s) make a good argument why that should be done.

However, common functionality should not be blocked.

[adrelanos]

As said in #239:

Abundance of caution can't really be a suitable criteria because there a hundreds or thousands of kernel modules. That's too big in scope for a a security "miscellaneous" project. That would best maintained by a separate project.

[adrelanos]

Through issue:

• kernel module blacklist breaks VirtualBox audio devices ICH AC97 and maybe Intel HD #271

I learned, the only thing we blacklisted was snd_intel8x0.

This had resulted in multiple kernel modules not loading.

ac97_bus
joydev
snd_ac97_codec
snd_intel8x0
snd_pcm

So in theory, one could report a bug:

You are blacklisting snd_intel8x0 but fail to blacklist ac97_bus, snd_ac97_codec, snd_pcm.

This would be technically correct.

But who has really the time to read through thousands of kernel modules and build a complete list? I don't think we have this capability.