diff --git a/README.md b/README.md index 5826a0a..da9254a 100644 --- a/README.md +++ b/README.md @@ -214,9 +214,6 @@ modules from automatically starting. - CD-ROM/DVD: Blacklist modules required for CD-ROM/DVD devices. -- Framebuffer Drivers: Blacklisted as they are well-known to be buggy, cause - kernel panics, and are generally only used by legacy devices. - - Miscellaneous: Blacklist an assortment of other modules to prevent them from automatically loading. @@ -234,14 +231,17 @@ disabling should first be blacklisted for a suitable amount of time. - FireWire (IEEE 1394): Disabled as they are often vulnerable to DMA attacks. +- Framebuffer (fbdev): Disabled as drivers are well-known to be buggy, cause + kernel panics, and are generally only used by legacy devices. + - GPS: Disable GPS-related modules such as those required for Global Navigation Satellite Systems (GNSS). - Optional - Intel Management Engine (ME): Provides some disabling of the interface - between the Intel ME and the OS. May lead to breakages in places such as security, - power management, display, and DRM. See discussion: https://github.com/Kicksecure/security-misc/issues/239 + between the Intel ME and the OS. May lead to breakages in places such as firmware + updates, security, power management, display, and DRM. See discussion: https://github.com/Kicksecure/security-misc/issues/239 -- Intel Platform Monitoring Technology Telemetry (PMT): Disable some functionality +- Intel Platform Monitoring Technology (PMT) Telemetry: Disable some functionality of the Intel PMT components. - Network File Systems: Disable uncommon and legacy network file systems. @@ -250,7 +250,8 @@ disabling should first be blacklisted for a suitable amount of time. are disabled. - Miscellaneous: Disable an assortment of other modules such as those required - for amateur radio, floppy disks, and vivid. + for amateur radio, floppy disks, and vivid. Also disable legacy drivers that + have been entirely replaced by newer drivers. - Thunderbolt: Disabled as they are often vulnerable to DMA attacks. diff --git a/etc/modprobe.d/30_security-misc_blacklist.conf b/etc/modprobe.d/30_security-misc_blacklist.conf index c35af0b..34e1124 100644 --- a/etc/modprobe.d/30_security-misc_blacklist.conf +++ b/etc/modprobe.d/30_security-misc_blacklist.conf @@ -21,52 +21,35 @@ blacklist sr_mod #install cdrom /usr/bin/disabled-cdrom-by-security-misc #install sr_mod /usr/bin/disabled-cdrom-by-security-misc -## Framebuffer Drivers: -## -## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco -## -blacklist aty128fb -blacklist atyfb -blacklist cirrusfb -blacklist cyber2000fb -blacklist cyblafb -blacklist gx1fb -blacklist hgafb -blacklist i810fb -blacklist intelfb -blacklist kyrofb -blacklist lxfb -blacklist matroxfb_bases -blacklist neofb -blacklist nvidiafb -blacklist pm2fb -blacklist radeonfb -blacklist rivafb -blacklist s1d13xxxfb -blacklist savagefb -blacklist sisfb -blacklist sstfb -blacklist tdfxfb -blacklist tridentfb -blacklist vesafb -blacklist vfb -blacklist viafb -blacklist vt8623fb -blacklist udlfb - ## Miscellaneous: ## +## GrapheneOS: +## Partial selection of their infrastructure blacklist. +## Duplicate and already disabled modules have been omitted. +## +## https://github.com/GrapheneOS/infrastructure/blob/main/modprobe.d/local.conf +## +#blacklist cfg80211 +#blacklist intel_agp +#blacklist ip_tables +blacklist joydev +#blacklist mousedev +#blacklist psmouse +blacklist snd_intel8x0 +#blacklist tls +#blacklist virtio_balloon +#blacklist virtio_console +## +## Ubuntu: +## Already disabled modules have been omitted. +## ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco ## -blacklist ath_pci blacklist amd76x_edac -blacklist asus_acpi -blacklist bcm43xx +blacklist ath_pci blacklist evbug -blacklist de4x5 blacklist pcspkr -blacklist prism54 blacklist snd_aw2 blacklist snd_intel8x0m blacklist snd_pcsp diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index d2408af..3a72b0e 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -70,6 +70,43 @@ install raw1394 /usr/bin/disabled-firewire-by-security-misc install sbp2 /usr/bin/disabled-firewire-by-security-misc install video1394 /usr/bin/disabled-firewire-by-security-misc +## Framebuffer (fbdev): +## Video drivers are known to be buggy, cause kernel panics, and are generally only used by legacy devices. +## These were all previously blacklisted. +## +## https://docs.kernel.org/fb/index.html +## https://en.wikipedia.org/wiki/Linux_framebuffer +## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco +## +install aty128fb /usr/bin/disabled-framebuffer-by-security-misc +install atyfb /usr/bin/disabled-framebuffer-by-security-misc +install cirrusfb /usr/bin/disabled-framebuffer-by-security-misc +install cyber2000fb /usr/bin/disabled-framebuffer-by-security-misc +install cyblafb /usr/bin/disabled-framebuffer-by-security-misc +install gx1fb /usr/bin/disabled-framebuffer-by-security-misc +install hgafb /usr/bin/disabled-framebuffer-by-security-misc +install i810fb /usr/bin/disabled-framebuffer-by-security-misc +install intelfb /usr/bin/disabled-framebuffer-by-security-misc +install kyrofb /usr/bin/disabled-framebuffer-by-security-misc +install lxfb /usr/bin/disabled-framebuffer-by-security-misc +install matroxfb_bases /usr/bin/disabled-framebuffer-by-security-misc +install neofb /usr/bin/disabled-framebuffer-by-security-misc +install nvidiafb /usr/bin/disabled-framebuffer-by-security-misc +install pm2fb /usr/bin/disabled-framebuffer-by-security-misc +install radeonfb /usr/bin/disabled-framebuffer-by-security-misc +install rivafb /usr/bin/disabled-framebuffer-by-security-misc +install s1d13xxxfb /usr/bin/disabled-framebuffer-by-security-misc +install savagefb /usr/bin/disabled-framebuffer-by-security-misc +install sisfb /usr/bin/disabled-framebuffer-by-security-misc +install sstfb /usr/bin/disabled-framebuffer-by-security-misc +install tdfxfb /usr/bin/disabled-framebuffer-by-security-misc +install tridentfb /usr/bin/disabled-framebuffer-by-security-misc +install vesafb /usr/bin/disabled-framebuffer-by-security-misc +install vfb /usr/bin/disabled-framebuffer-by-security-misc +install viafb /usr/bin/disabled-framebuffer-by-security-misc +install vt8623fb /usr/bin/disabled-framebuffer-by-security-misc +install udlfb /usr/bin/disabled-framebuffer-by-security-misc + ## Global Positioning Systems (GPS): ## Disable GPS-related modules like GNSS (Global Navigation Satellite System). ## @@ -84,7 +121,8 @@ install gnss-usb /usr/bin/disabled-gps-by-security-misc ## Intel Management Engine (ME): ## Partially disable the Intel ME interface with the OS. ## ME functionality has increasing become more intertwined with basic Intel system operation. -## Disabling may lead to breakages in places such as security, power management, display, and DRM. +## Disabling may lead to breakages in numerous places without clear debugging/error messages. +## May cause issues with firmware updates, security, power management, display, and DRM. ## ## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html ## https://en.wikipedia.org/wiki/Intel_Management_Engine#Security_vulnerabilities @@ -105,7 +143,7 @@ install gnss-usb /usr/bin/disabled-gps-by-security-misc #install mei_wdt /usr/bin/disabled-intelme-by-security-misc #install microread_mei /usr/bin/disabled-intelme-by-security-misc -## Intel Platform Monitoring Technology Telemetry (PMT): +## Intel Platform Monitoring Technology (PMT) Telemetry: ## Disable some functionality of the Intel PMT components. ## ## https://github.com/intel/Intel-PMT @@ -221,6 +259,17 @@ install hamradio /usr/bin/disabled-miscellaneous-by-security-misc ## install floppy /usr/bin/disabled-miscellaneous-by-security-misc ## +## Replaced: +## These legacy drivers have all been entirely replaced and superseded by newer drivers. +## These were all previously blacklisted. +## +## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco +## +install asus_acpi /usr/bin/disabled-miscellaneous-by-security-misc +install bcm43xx /usr/bin/disabled-miscellaneous-by-security-misc +install de4x5 /usr/bin/disabled-miscellaneous-by-security-misc +install prism54 /usr/bin/disabled-miscellaneous-by-security-misc +## ## Vivid: ## Disables the vivid kernel module since it has been the cause of multiple vulnerabilities. ## diff --git a/usr/bin/disabled-bluetooth-by-security-misc b/usr/bin/disabled-bluetooth-by-security-misc index 3669fc1..d576b26 100755 --- a/usr/bin/disabled-bluetooth-by-security-misc +++ b/usr/bin/disabled-bluetooth-by-security-misc @@ -3,8 +3,8 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Alerts the user that a kernel module failed to load due to it being blacklisted by default. +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. -echo "$0: ERROR: This Bluetooth kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 +echo "$0: ALERT: This Bluetooth kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-cdrom-by-security-misc b/usr/bin/disabled-cdrom-by-security-misc index 4a7b141..af27e08 100755 --- a/usr/bin/disabled-cdrom-by-security-misc +++ b/usr/bin/disabled-cdrom-by-security-misc @@ -3,8 +3,8 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Alerts the user that a kernel module failed to load due to it being blacklisted by default. +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. -echo "$0: ERROR: This CD-ROM/DVD kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 +echo "$0: ALERT: This CD-ROM/DVD kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-filesys-by-security-misc b/usr/bin/disabled-filesys-by-security-misc index 6c7dd5a..faffe58 100755 --- a/usr/bin/disabled-filesys-by-security-misc +++ b/usr/bin/disabled-filesys-by-security-misc @@ -3,8 +3,8 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Alerts the user that a kernel module failed to load due to it being blacklisted by default. +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. -echo "$0: ERROR: This file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 +echo "$0: ALERT: This file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-firewire-by-security-misc b/usr/bin/disabled-firewire-by-security-misc index 2abc6bc..4886755 100755 --- a/usr/bin/disabled-firewire-by-security-misc +++ b/usr/bin/disabled-firewire-by-security-misc @@ -3,8 +3,8 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Alerts the user that a kernel module failed to load due to it being blacklisted by default. +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. -echo "$0: ERROR: This FireWire (IEEE 1394) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 +echo "$0: ALERT: This FireWire (IEEE 1394) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-framebuffer-by-security-misc b/usr/bin/disabled-framebuffer-by-security-misc new file mode 100755 index 0000000..681bc40 --- /dev/null +++ b/usr/bin/disabled-framebuffer-by-security-misc @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2024 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. + +echo "$0: ALERT: This framebuffer (fbdev) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 + +exit 1 diff --git a/usr/bin/disabled-gps-by-security-misc b/usr/bin/disabled-gps-by-security-misc index d43626e..51997c1 100755 --- a/usr/bin/disabled-gps-by-security-misc +++ b/usr/bin/disabled-gps-by-security-misc @@ -3,8 +3,8 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Alerts the user that a kernel module failed to load due to it being blacklisted by default. +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. -echo "$0: ERROR: This GPS (Global Positioning System) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 +echo "$0: ALERT: This Global Positioning System (GPS) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-intelme-by-security-misc b/usr/bin/disabled-intelme-by-security-misc index 0913fcf..dc2bb72 100755 --- a/usr/bin/disabled-intelme-by-security-misc +++ b/usr/bin/disabled-intelme-by-security-misc @@ -3,8 +3,8 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Alerts the user that a kernel module failed to load due to it being blacklisted by default. +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. -echo "$0: ERROR: This Intel Management Engine (ME) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 +echo "$0: ALERT: This Intel Management Engine (ME) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-intelpmt-by-security-misc b/usr/bin/disabled-intelpmt-by-security-misc index 44f04bc..76daa06 100755 --- a/usr/bin/disabled-intelpmt-by-security-misc +++ b/usr/bin/disabled-intelpmt-by-security-misc @@ -3,8 +3,8 @@ ## Copyright (C) 2024 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Alerts the user that a kernel module failed to load due to it being blacklisted by default. +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. -echo "$0: ERROR: This Intel Platform Monitoring Technology Telemetry (PMT) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 +echo "$0: ALERT: This Intel Platform Monitoring Technology (PMT) Telemetry kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-miscellaneous-by-security-misc b/usr/bin/disabled-miscellaneous-by-security-misc index 2c23909..6eff13c 100755 --- a/usr/bin/disabled-miscellaneous-by-security-misc +++ b/usr/bin/disabled-miscellaneous-by-security-misc @@ -3,8 +3,8 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Alerts the user that a kernel module failed to load due to it being blacklisted by default. +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. -echo "$0: ERROR: This kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 +echo "$0: ALERT: This kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-netfilesys-by-security-misc b/usr/bin/disabled-netfilesys-by-security-misc index bbb57a8..8775acb 100755 --- a/usr/bin/disabled-netfilesys-by-security-misc +++ b/usr/bin/disabled-netfilesys-by-security-misc @@ -3,8 +3,8 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Alerts the user that a kernel module failed to load due to it being blacklisted by default. +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. -echo "$0: ERROR: This network file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 +echo "$0: ALERT: This network file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-network-by-security-misc b/usr/bin/disabled-network-by-security-misc index 8035522..a6a87db 100755 --- a/usr/bin/disabled-network-by-security-misc +++ b/usr/bin/disabled-network-by-security-misc @@ -3,8 +3,8 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Alerts the user that a kernel module failed to load due to it being blacklisted by default. +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. -echo "$0: ERROR: This network protocol kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 +echo "$0: ALERT: This network protocol kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-thunderbolt-by-security-misc b/usr/bin/disabled-thunderbolt-by-security-misc index dbe89ec..5bac656 100755 --- a/usr/bin/disabled-thunderbolt-by-security-misc +++ b/usr/bin/disabled-thunderbolt-by-security-misc @@ -3,8 +3,8 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Alerts the user that a kernel module failed to load due to it being blacklisted by default. +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. -echo "$0: ERROR: This Thunderbolt kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 +echo "$0: ALERT: This Thunderbolt kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 exit 1