security-misc/etc/modprobe.d/30_security-misc_blacklist.conf

## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

## See the following links for a community discussion and overview regarding the selections.
## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules

## Blacklisting prevents kernel modules from automatically starting.
## Disabling prohibits kernel modules from starting.

## CD-ROM/DVD:
## Blacklist CD-ROM and DVD modules.
## Do not disable by default for potential future ISO plans.
##
## https://nvd.nist.gov/vuln/detail/CVE-2018-11506
## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31
##
blacklist cdrom
blacklist sr_mod
##
#install cdrom /usr/bin/disabled-cdrom-by-security-misc
#install sr_mod /usr/bin/disabled-cdrom-by-security-misc

## Miscellaneous:
##
## GrapheneOS:
## Partial selection of their infrastructure blacklist.
## Duplicate and already disabled modules have been omitted.
##
## https://github.com/GrapheneOS/infrastructure/blob/main/modprobe.d/local.conf
##
#blacklist cfg80211
#blacklist intel_agp
#blacklist ip_tables
blacklist joydev
#blacklist mousedev
#blacklist psmouse
blacklist snd_intel8x0
#blacklist tls
#blacklist virtio_balloon
#blacklist virtio_console
##
## Ubuntu:
## Already disabled modules have been omitted.
##
## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco
## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco
##
blacklist amd76x_edac
blacklist ath_pci
blacklist evbug
blacklist pcspkr
blacklist snd_aw2
blacklist snd_intel8x0m
blacklist snd_pcsp
blacklist usbkbd
blacklist usbmouse