From 0fcbc78f2811e3d51f8b7145353bfb5537bf8522 Mon Sep 17 00:00:00 2001 From: Donald Buczek Date: Thu, 14 May 2026 18:47:09 +0200 Subject: [PATCH] restrict-module-load: Add --- install.sh | 4 ++++ restrict-module-load/modprobe-restricted | 22 +++++++++++++++++++ .../restrict-module-load.service | 6 +++++ .../restrict-module-load.timer | 7 ++++++ .../restricted-module-load.whitelist | 2 ++ 5 files changed, 41 insertions(+) create mode 100755 restrict-module-load/modprobe-restricted create mode 100644 restrict-module-load/restrict-module-load.service create mode 100644 restrict-module-load/restrict-module-load.timer create mode 100644 restrict-module-load/restricted-module-load.whitelist diff --git a/install.sh b/install.sh index 186b6f1..65b9a71 100755 --- a/install.sh +++ b/install.sh @@ -265,6 +265,10 @@ install_exec mxqi/mxqi "$DESTDIR$usr_bindir/m install_exec mozilla-launcher/mozilla-launcher "$DESTDIR$usr_libdir/mariux64/mozilla_launcher" install_exec mozilla-launcher/fix-thunderbird-amd "$DESTDIR$usr_bindir/fix-thunderbird-amd" install_exec syncthing/startstop-syncthing.sh "$DESTDIR$usr_sbindir/startstop-syncthing.sh" +install_data restrict-module-load/restrict-module-load.timer "$DESTDIR$systemdunitdir/restrict-module-load.timer" +install_data restrict-module-load/restrict-module-load.service "$DESTDIR$systemdunitdir/restrict-module-load.service" +install_exec restrict-module-load/modprobe-restricted "$DESTDIR$usr_sbindir/modprobe-restricted" +install_data restrict-module-load/restricted-module-load.whitelist "$DESTDIR$sysconfdir/restricted-module-load.whitelist" postinstall exit diff --git a/restrict-module-load/modprobe-restricted b/restrict-module-load/modprobe-restricted new file mode 100755 index 0000000..2f37265 --- /dev/null +++ b/restrict-module-load/modprobe-restricted @@ -0,0 +1,22 @@ +#! /bin/bash + +# kernel sometimes calls with "-q -- module" +for arg in "$@" ; do + case "$arg" in + -*) + ;; + *) + alias="$arg" + ;; + esac +done + +alias="${alias:?parameter missing}" +module="$(modinfo -F name "$alias" 2>/dev/null || echo "$alias")" +description="$(modinfo -F description "$module")" + +if grep -q "^$module\>" /etc/restricted-module-load.whitelist; then + exec /usr/sbin/modprobe "$@" +else + /usr/bin/logger -t modprobe-restricted "denied loading of module $module (\"$description\") via alias $alias" +fi diff --git a/restrict-module-load/restrict-module-load.service b/restrict-module-load/restrict-module-load.service new file mode 100644 index 0000000..c3c6f3f --- /dev/null +++ b/restrict-module-load/restrict-module-load.service @@ -0,0 +1,6 @@ +[Service] + +Type=oneshot +RemainAfterExit=true +ExecStart=bash -c "echo /usr/sbin/modprobe-restricted > /proc/sys/kernel/modprobe" +ExecStop=bash -c "echo /usr/sbin/modprobe > /proc/sys/kernel/modprobe" diff --git a/restrict-module-load/restrict-module-load.timer b/restrict-module-load/restrict-module-load.timer new file mode 100644 index 0000000..7ec5796 --- /dev/null +++ b/restrict-module-load/restrict-module-load.timer @@ -0,0 +1,7 @@ +[Install] + +WantedBy=multi-user.target + +[Timer] + +OnActiveSec=3min diff --git a/restrict-module-load/restricted-module-load.whitelist b/restrict-module-load/restricted-module-load.whitelist new file mode 100644 index 0000000..5e15316 --- /dev/null +++ b/restrict-module-load/restricted-module-load.whitelist @@ -0,0 +1,2 @@ + +af_packet ("Packet socket support (AF_PACKET)") for tcpdump