From 31e3aa0c3add48ad26e43e4b83358571843f28de Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Fri, 21 Nov 2025 12:32:30 +0000 Subject: [PATCH 01/13] Update docs on Bluetooth disabling --- .../30_security-misc_disable.conf#security-misc-shared | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared b/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared index 9c5c380..856d54c 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared +++ b/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared @@ -17,11 +17,10 @@ ## 1. Hardware: ## Bluetooth: -## Disable Bluetooth to reduce the attack surface due to its long history of security vulnerabilities. +## Can disable Bluetooth to reduce the attack surface due to its long history of security vulnerabilities. +## Replaced with a privacy and security preserving default Bluetooth configuration for better usability. ## ## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns -## -## Now replaced with a privacy- and security-preserving default Bluetooth configuration for better usability. ## https://github.com/Kicksecure/security-misc/pull/145 ## #install bluetooth /usr/bin/disabled-bluetooth-by-security-misc From 5adc007536578c1e70a8cc6784fbced2033b7a5c Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Fri, 21 Nov 2025 12:33:15 +0000 Subject: [PATCH 02/13] Update docs on Intel PMT disabling --- .../30_security-misc_disable.conf#security-misc-shared | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared b/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared index 856d54c..5417431 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared +++ b/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared @@ -95,6 +95,7 @@ install gnss-usb /usr/bin/disabled-gps-by-security-misc ## Intel Platform Monitoring Technology (PMT) Telemetry: ## Disable certain functionalities of the Intel PMT components. ## +## https://www.intel.com/content/www/us/en/content-details/710389/intel-platform-monitoring-technology-intel-pmt-technical-specification.html ## https://github.com/intel/Intel-PMT ## install pmt_class /usr/bin/disabled-intelpmt-by-security-misc From 4597fd16a9b94ebd6b4fae152a64288b665d9c36 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Fri, 21 Nov 2025 12:35:03 +0000 Subject: [PATCH 03/13] Sort RDNIS disabling and add docs --- README.md | 2 ++ ...ity-misc_disable.conf#security-misc-shared | 23 +++++++++---------- 2 files changed, 13 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index 8c232ae..856f292 100644 --- a/README.md +++ b/README.md @@ -383,6 +383,8 @@ Miscellaneous modules: - Replaced Modules: Disabled legacy drivers that have been entirely replaced and superseded by newer drivers. +- RDNIS - Disabled as believed to have unfixable buffer overflow issues. + - Optional - USB Video Device Class: Disables the USB-based video streaming driver for devices like some webcams and digital camcorders. diff --git a/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared b/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared index 5417431..54ae6f8 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared +++ b/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared @@ -291,6 +291,17 @@ install bcm43xx /usr/bin/disabled-miscellaneous-by-security-misc install de4x5 /usr/bin/disabled-miscellaneous-by-security-misc install prism54 /usr/bin/disabled-miscellaneous-by-security-misc +## RNDIS: +## Disabled as believed to have unfixable buffer overflow issues impossible to make secure. +## Used by some network devices common with Android USB tethering. +## +## https://en.wikipedia.org/wiki/RNDIS +## https://lkml.org/lkml/2022/11/23/728 +## https://lore.kernel.org/lkml/2023071333-wildly-playroom-878b@gregkh/ +## +install rndis_host /usr/bin/disabled-miscellaneous-by-security-misc +install usb_f_rndis /usr/bin/disabled-miscellaneous-by-security-misc + ## USB Video Device Class: ## Disables the USB-based video streaming driver for devices like some webcams and digital camcorders. ## @@ -308,15 +319,3 @@ install prism54 /usr/bin/disabled-miscellaneous-by-security-misc ## https://github.com/Kicksecure/security-misc/issues/298 ## #install vivid /usr/bin/disabled-miscellaneous-by-security-misc - -## RNDIS: -## Disable the RNDIS drivers used by some network devices (common with Android -## USB tethering). RNDIS as a protocol is believed to have supposedly -## unfixable buffer overflow issues and may be impossible to implement in a -## secure fashion. -## -## https://lkml.org/lkml/2022/11/23/728 -## https://lore.kernel.org/lkml/2023071333-wildly-playroom-878b@gregkh/ -## -install rndis_host /usr/bin/disabled-miscellaneous-by-security-misc -install usb_f_rndis /usr/bin/disabled-miscellaneous-by-security-misc From 59869979bbc2fb16da6b3435276e4930b4088f59 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Fri, 21 Nov 2025 12:35:51 +0000 Subject: [PATCH 04/13] Update docs on Vivid disabling --- README.md | 2 +- .../30_security-misc_disable.conf#security-misc-shared | 5 ++--- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 856f292..909eaf9 100644 --- a/README.md +++ b/README.md @@ -388,7 +388,7 @@ Miscellaneous modules: - Optional - USB Video Device Class: Disables the USB-based video streaming driver for devices like some webcams and digital camcorders. -- Vivid: Disabled to reduce attack surface given previous vulnerabilities. +- Optional - Vivid: Disabled to reduce attack surface given previous vulnerabilities. ### Other diff --git a/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared b/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared index 54ae6f8..c2eba36 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared +++ b/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared @@ -308,13 +308,12 @@ install usb_f_rndis /usr/bin/disabled-miscellaneous-by-security-misc #install uvcvideo /usr/bin/disabled-miscellaneous-by-security-misc ## Vivid: -## Disables the vivid kernel module since it has been the cause of multiple vulnerabilities. +## Can disable the vivid kernel module since it has been the cause of multiple vulnerabilities. +## Required only for running tests associated with the Qubes Video Companion. ## ## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233 ## https://www.openwall.com/lists/oss-security/2019/11/02/1 ## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475 -## -## No longer disabled by default: ## https://forums.whonix.org/t/testing-qubes-video-companion-on-whonix/21393 ## https://github.com/Kicksecure/security-misc/issues/298 ## From e6aa648d54f076c5c75d45bcd7658d502b701982 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Fri, 21 Nov 2025 12:36:32 +0000 Subject: [PATCH 05/13] Update docs on CPU MSR disabling --- .../30_security-misc_disable.conf#security-misc-shared | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared b/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared index c2eba36..2f30779 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared +++ b/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared @@ -232,8 +232,10 @@ install sctp_diag /usr/bin/disabled-network-by-security-misc install hamradio /usr/bin/disabled-miscellaneous-by-security-misc ## CPU Model-Specific Registers (MSRs): -## Disable CPU MSRs as they can be abused to write to arbitrary memory. +## Can disable CPU MSRs as they can be abused to write to arbitrary memory. ## +## https://en.wikipedia.org/wiki/Model-specific_register +## https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/best-practices/reading-writing-msrs-in-linux.html ## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode ## https://github.com/Kicksecure/security-misc/issues/215 ## From 66ba273d448ff92c249abe9dd0f83a64cc1ee823 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Fri, 21 Nov 2025 12:36:57 +0000 Subject: [PATCH 06/13] Add CPU MSR modules --- .../30_security-misc_disable.conf#security-misc-shared | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared b/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared index 2f30779..0dfacc8 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared +++ b/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared @@ -239,6 +239,8 @@ install hamradio /usr/bin/disabled-miscellaneous-by-security-misc ## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode ## https://github.com/Kicksecure/security-misc/issues/215 ## +#install intel_rapl_msr /usr/bin/disabled-miscellaneous-by-security-misc +#install isst_if_mbox_msr /usr/bin/disabled-miscellaneous-by-security-misc #install msr /usr/bin/disabled-miscellaneous-by-security-misc ## Floppy Disks: From 3646a2fefeaa774aea068d7c6e761c5b76479f55 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Fri, 21 Nov 2025 12:37:57 +0000 Subject: [PATCH 07/13] Move superseded brcm80211 to disabled Split and replaced by brcmsmac and brcmfmac in kernel 2.6.39 --- .../30_security-misc_disable.conf#security-misc-shared | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared b/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared index 0dfacc8..887d143 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared +++ b/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared @@ -163,7 +163,6 @@ install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc install af_802154 /usr/bin/disabled-network-by-security-misc install appletalk /usr/bin/disabled-network-by-security-misc install ax25 /usr/bin/disabled-network-by-security-misc -#install brcm80211 /usr/bin/disabled-network-by-security-misc install decnet /usr/bin/disabled-network-by-security-misc install dccp /usr/bin/disabled-network-by-security-misc install econet /usr/bin/disabled-network-by-security-misc @@ -286,12 +285,13 @@ install udlfb /usr/bin/disabled-framebuffer-by-security-misc ## Replaced Modules: ## These legacy drivers have all been entirely replaced and superseded by newer drivers. -## These were all previously blacklisted. +## Many of these were previously blacklisted. ## ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco ## install asus_acpi /usr/bin/disabled-miscellaneous-by-security-misc install bcm43xx /usr/bin/disabled-miscellaneous-by-security-misc +install brcm80211 /usr/bin/disabled-miscellaneous-by-security-misc install de4x5 /usr/bin/disabled-miscellaneous-by-security-misc install prism54 /usr/bin/disabled-miscellaneous-by-security-misc From 446d3771bf8c42aba61d248bccfe9fad4eacc88d Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Fri, 21 Nov 2025 12:38:44 +0000 Subject: [PATCH 08/13] Update docs on CD-ROM/DVD blacklisting --- .../30_security-misc_blacklist.conf#security-misc-shared | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/modprobe.d/30_security-misc_blacklist.conf#security-misc-shared b/etc/modprobe.d/30_security-misc_blacklist.conf#security-misc-shared index 936e26a..bed77f2 100644 --- a/etc/modprobe.d/30_security-misc_blacklist.conf#security-misc-shared +++ b/etc/modprobe.d/30_security-misc_blacklist.conf#security-misc-shared @@ -11,13 +11,13 @@ ## CD-ROM/DVD: ## Blacklist CD-ROM and DVD modules. ## Not disabled by default due to potential future ISO plans. +## Can uncomment the bottom pair to disable both modules. ## ## https://nvd.nist.gov/vuln/detail/CVE-2018-11506 ## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31 ## blacklist cdrom blacklist sr_mod -## #install cdrom /usr/bin/disabled-cdrom-by-security-misc #install sr_mod /usr/bin/disabled-cdrom-by-security-misc From 28476d3d53a0e4796b4396a925c44ccf32f4fe90 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Fri, 21 Nov 2025 12:40:12 +0000 Subject: [PATCH 09/13] Update docs on GrapheneOS blacklisted modules --- ..._security-misc_blacklist.conf#security-misc-shared | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/etc/modprobe.d/30_security-misc_blacklist.conf#security-misc-shared b/etc/modprobe.d/30_security-misc_blacklist.conf#security-misc-shared index bed77f2..c70b53e 100644 --- a/etc/modprobe.d/30_security-misc_blacklist.conf#security-misc-shared +++ b/etc/modprobe.d/30_security-misc_blacklist.conf#security-misc-shared @@ -26,8 +26,11 @@ blacklist sr_mod ## GrapheneOS: ## Partial selection of their infrastructure blacklist. ## Duplicate and already disabled modules have been omitted. +## Currently snd_intel8x0 is required by some users for VirtualBox audio device ICH AC97. ## -## https://github.com/GrapheneOS/infrastructure/blob/main/etc/modprobe.d/local.conf +## https://github.com/GrapheneOS/infrastructure/tree/main/etc/modprobe.d +## https://www.kicksecure.com/wiki/Dev/audio +## https://github.com/Kicksecure/security-misc/issues/271 ## #blacklist cfg80211 #blacklist intel_agp @@ -35,12 +38,6 @@ blacklist sr_mod blacklist joydev #blacklist mousedev #blacklist psmouse -## TODO: Re-check in Debian trixie -## In GrapheneOS list, yes, "should" be out-commented here. -## But not actually out-commented. -## Breaks VirtualBox audio device ICH AC97, which is unfortunately still required by some users. -## https://www.kicksecure.com/wiki/Dev/audio -## https://github.com/Kicksecure/security-misc/issues/271 #blacklist snd_intel8x0 #blacklist tls #blacklist virtio_balloon From 1865cafe446c6a525bc63caa7ce1097ce573b877 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Fri, 21 Nov 2025 12:42:10 +0000 Subject: [PATCH 10/13] Move joydev from blacklist to disable --- README.md | 2 ++ .../30_security-misc_blacklist.conf#security-misc-shared | 1 - .../30_security-misc_disable.conf#security-misc-shared | 6 ++++++ 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 909eaf9..5ee8c50 100644 --- a/README.md +++ b/README.md @@ -380,6 +380,8 @@ Miscellaneous modules: - Framebuffer (fbdev): Disabled as these drivers are well-known to be buggy, cause kernel panics, and are generally only used by legacy devices. +- Joysticks: Disabled to reduce attack surface. + - Replaced Modules: Disabled legacy drivers that have been entirely replaced and superseded by newer drivers. diff --git a/etc/modprobe.d/30_security-misc_blacklist.conf#security-misc-shared b/etc/modprobe.d/30_security-misc_blacklist.conf#security-misc-shared index c70b53e..f3bd87b 100644 --- a/etc/modprobe.d/30_security-misc_blacklist.conf#security-misc-shared +++ b/etc/modprobe.d/30_security-misc_blacklist.conf#security-misc-shared @@ -35,7 +35,6 @@ blacklist sr_mod #blacklist cfg80211 #blacklist intel_agp #blacklist ip_tables -blacklist joydev #blacklist mousedev #blacklist psmouse #blacklist snd_intel8x0 diff --git a/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared b/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared index 887d143..7ae37ab 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared +++ b/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared @@ -283,6 +283,12 @@ install viafb /usr/bin/disabled-framebuffer-by-security-misc install vt8623fb /usr/bin/disabled-framebuffer-by-security-misc install udlfb /usr/bin/disabled-framebuffer-by-security-misc +## Joysticks: +## +## https://docs.kernel.org/input/joydev/joystick.html +## +install joydev /usr/bin/disabled-miscellaneous-by-security-misc + ## Replaced Modules: ## These legacy drivers have all been entirely replaced and superseded by newer drivers. ## Many of these were previously blacklisted. From 1a7b0a9122cc6b6e755a540dd62fd018a1a7536d Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Fri, 21 Nov 2025 12:43:05 +0000 Subject: [PATCH 11/13] Disable more file systems --- ...ity-misc_disable.conf#security-misc-shared | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared b/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared index 7ae37ab..2fc6ce5 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared +++ b/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared @@ -117,18 +117,39 @@ install thunderbolt_net /usr/bin/disabled-thunderbolt-by-security-misc ## Disable uncommon file systems to reduce attack surface. ## HFS/HFS+ are legacy Apple file systems that may be required depending on the EFI partition format. ## +## https://docs.kernel.org/filesystems/index.html +## https://github.com/secureblue/secureblue/tree/live/files/system/usr/lib/modprobe.d +## +install adfs /usr/bin/disabled-filesys-by-security-misc +install affs /usr/bin/disabled-filesys-by-security-misc +install afs /usr/bin/disabled-filesys-by-security-misc +install befs /usr/bin/disabled-filesys-by-security-misc +install ceph /usr/bin/disabled-filesys-by-security-misc +install coda /usr/bin/disabled-filesys-by-security-misc install cramfs /usr/bin/disabled-filesys-by-security-misc +install ecryptfs /usr/bin/disabled-filesys-by-security-misc install freevxfs /usr/bin/disabled-filesys-by-security-misc install hfs /usr/bin/disabled-filesys-by-security-misc install hfsplus /usr/bin/disabled-filesys-by-security-misc install jffs2 /usr/bin/disabled-filesys-by-security-misc install jfs /usr/bin/disabled-filesys-by-security-misc +install kafs /usr/bin/disabled-filesys-by-security-misc +install minix /usr/bin/disabled-filesys-by-security-misc +install nilfs2 /usr/bin/disabled-filesys-by-security-misc +install ocfs2 /usr/bin/disabled-filesys-by-security-misc +install orangefs /usr/bin/disabled-filesys-by-security-misc install reiserfs /usr/bin/disabled-filesys-by-security-misc +install romfs /usr/bin/disabled-filesys-by-security-misc +install sysv /usr/bin/disabled-filesys-by-security-misc +install ubifs /usr/bin/disabled-filesys-by-security-misc install udf /usr/bin/disabled-filesys-by-security-misc +install ufs /usr/bin/disabled-filesys-by-security-misc +install zonefs /usr/bin/disabled-filesys-by-security-misc ## Network File Systems: ## Disable uncommon network file systems to reduce attack surface. ## +install 9p /usr/bin/disabled-netfilesys-by-security-misc install gfs2 /usr/bin/disabled-netfilesys-by-security-misc install ksmbd /usr/bin/disabled-netfilesys-by-security-misc ## From 79be87ec5f2cb22a98ada179b3aa97dfd58299e0 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Fri, 21 Nov 2025 13:05:13 +0000 Subject: [PATCH 12/13] Move (optional) CPU MSR module disable list --- README.md | 4 ++-- ...ity-misc_disable.conf#security-misc-shared | 24 +++++++++---------- ...umsr-by-security-misc#security-misc-shared | 10 ++++++++ 3 files changed, 24 insertions(+), 14 deletions(-) create mode 100755 usr/bin/disabled-cpumsr-by-security-misc#security-misc-shared diff --git a/README.md b/README.md index 5ee8c50..1499540 100644 --- a/README.md +++ b/README.md @@ -344,6 +344,8 @@ Hardware modules: - Optional - Bluetooth: Disabled to reduce attack surface. +- Optional - CPU MSRs: Disabled as can be abused to write to arbitrary memory. + - FireWire (IEEE 1394): Disabled as they are often vulnerable to DMA attacks. - GPS: Disable GPS-related modules such as those required for Global Navigation @@ -373,8 +375,6 @@ Miscellaneous modules: - Amateur Radios: Disabled to reduce attack surface. -- Optional - CPU MSRs: Disabled as can be abused to write to arbitrary memory. - - Floppy Disks: Disabled to reduce attack surface. - Framebuffer (fbdev): Disabled as these drivers are well-known to be buggy, cause diff --git a/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared b/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared index 2fc6ce5..ce3adae 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared +++ b/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared @@ -41,6 +41,18 @@ #install btusb /usr/bin/disabled-bluetooth-by-security-misc #install virtio_bt /usr/bin/disabled-bluetooth-by-security-misc +## CPU Model-Specific Registers (MSRs): +## Can disable CPU MSRs as they can be abused to write to arbitrary memory. +## +## https://en.wikipedia.org/wiki/Model-specific_register +## https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/best-practices/reading-writing-msrs-in-linux.html +## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode +## https://github.com/Kicksecure/security-misc/issues/215 +## +#install intel_rapl_msr /usr/bin/disabled-cpumsr-by-security-misc +#install isst_if_mbox_msr /usr/bin/disabled-cpumsr-by-security-misc +#install msr /usr/bin/disabled-cpumsr-by-security-misc + ## FireWire (IEEE 1394): ## Disable IEEE 1394 (FireWire/i.LINK/Lynx) modules to prevent certain DMA attacks. ## @@ -251,18 +263,6 @@ install sctp_diag /usr/bin/disabled-network-by-security-misc ## install hamradio /usr/bin/disabled-miscellaneous-by-security-misc -## CPU Model-Specific Registers (MSRs): -## Can disable CPU MSRs as they can be abused to write to arbitrary memory. -## -## https://en.wikipedia.org/wiki/Model-specific_register -## https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/best-practices/reading-writing-msrs-in-linux.html -## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode -## https://github.com/Kicksecure/security-misc/issues/215 -## -#install intel_rapl_msr /usr/bin/disabled-miscellaneous-by-security-misc -#install isst_if_mbox_msr /usr/bin/disabled-miscellaneous-by-security-misc -#install msr /usr/bin/disabled-miscellaneous-by-security-misc - ## Floppy Disks: ## install floppy /usr/bin/disabled-miscellaneous-by-security-misc diff --git a/usr/bin/disabled-cpumsr-by-security-misc#security-misc-shared b/usr/bin/disabled-cpumsr-by-security-misc#security-misc-shared new file mode 100755 index 0000000..a6b0223 --- /dev/null +++ b/usr/bin/disabled-cpumsr-by-security-misc#security-misc-shared @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. + +echo "$0: ALERT: This CPU MSR kernel module is disabled by package security-misc-shared by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 + +exit 1 From f75e9873375d187fbbe4b5bfd135d0cd26a93fe6 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Fri, 21 Nov 2025 13:06:42 +0000 Subject: [PATCH 13/13] Relabel some disabled module headings --- ...ity-misc_disable.conf#security-misc-shared | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared b/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared index ce3adae..fb06543 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared +++ b/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared @@ -164,14 +164,14 @@ install zonefs /usr/bin/disabled-filesys-by-security-misc install 9p /usr/bin/disabled-netfilesys-by-security-misc install gfs2 /usr/bin/disabled-netfilesys-by-security-misc install ksmbd /usr/bin/disabled-netfilesys-by-security-misc -## -## Common Internet File System (CIFS): + +## Network File System - Common Internet File System (CIFS): ## install cifs /usr/bin/disabled-netfilesys-by-security-misc install cifs_arc4 /usr/bin/disabled-netfilesys-by-security-misc install cifs_md4 /usr/bin/disabled-netfilesys-by-security-misc -## -## Network File System (NFS): + +## Network File System - Network File System (NFS): ## install nfs /usr/bin/disabled-netfilesys-by-security-misc install nfs_acl /usr/bin/disabled-netfilesys-by-security-misc @@ -209,15 +209,15 @@ install p8023 /usr/bin/disabled-network-by-security-misc install psnap /usr/bin/disabled-network-by-security-misc install rose /usr/bin/disabled-network-by-security-misc install x25 /usr/bin/disabled-network-by-security-misc -## -## Asynchronous Transfer Mode (ATM): + +## Network Protocol - Asynchronous Transfer Mode (ATM): ## install atm /usr/bin/disabled-network-by-security-misc install ueagle-atm /usr/bin/disabled-network-by-security-misc install usbatm /usr/bin/disabled-network-by-security-misc install xusbatm /usr/bin/disabled-network-by-security-misc -## -## Controller Area Network (CAN) Protocol: + +## Network Protocol - Controller Area Network (CAN): ## install c_can /usr/bin/disabled-network-by-security-misc install c_can_pci /usr/bin/disabled-network-by-security-misc @@ -240,19 +240,19 @@ install slcan /usr/bin/disabled-network-by-security-misc install ucan /usr/bin/disabled-network-by-security-misc install vxcan /usr/bin/disabled-network-by-security-misc install vcan /usr/bin/disabled-network-by-security-misc -## -## Transparent Inter Process Communication (TIPC): + +## Network Protocol - Transparent Inter Process Communication (TIPC): ## install tipc /usr/bin/disabled-network-by-security-misc install tipc_diag /usr/bin/disabled-network-by-security-misc -## -## Reliable Datagram Sockets (RDS): + +## Network Protocol - Reliable Datagram Sockets (RDS): ## install rds /usr/bin/disabled-network-by-security-misc install rds_rdma /usr/bin/disabled-network-by-security-misc install rds_tcp /usr/bin/disabled-network-by-security-misc -## -## Stream Control Transmission Protocol (SCTP): + +## Network Protocol - Stream Control Transmission Protocol (SCTP): ## install sctp /usr/bin/disabled-network-by-security-misc install sctp_diag /usr/bin/disabled-network-by-security-misc