Skip to content

restrict-module-load: Add #532

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

restrict-module-load: Add #532

wants to merge 1 commit into from
+41 −0

Conversation

@donald
Copy link
Collaborator

@donald donald commented May 14, 2026
edited
Loading

This prevents the loading of additional kernel modules 3 minutes after multi-user. Modules can be whitelisted in /etc/restricted-module-load.whitelist. If denied, a log message is written to syslog.

This restriction only applies to modules requested by the kernel, which can be triggered by unprivileged users. Module loading of manual insmod or modprobe, which is only available to a privileged user anyway, is not prevented.

@donald
Copy link
Collaborator Author

donald commented May 14, 2026 

buczek@dose:~$ sudo bash -c "true > /etc/restricted-module-load.whitelist"
buczek@dose:~$ sudo tcpdump -i net00 -n -c 1
tcpdump: socket: Address family not supported by protocol
buczek@dose:~$ tail -10 /var/log/messages|grep modu
2026-05-14T19:02:59.304414+02:00 dose modprobe-restricted: denied loading of module af_packet ("Packet socket support (AF_PACKET)") via alias net-pf-17
buczek@dose:~$ sudo bash -c "echo af_packet for tcpdump  > /etc/restricted-module-load.whitelist"
buczek@dose:~$ sudo tcpdump -i net00 -n -c 1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on net00, link-type EN10MB (Ethernet), capture size 262144 bytes
19:08:46.095315 IP 141.14.17.51.22 > 141.14.16.132.41460: Flags [P.], seq 269300532:269300720, ack 3615730610, win 79, options [nop,nop,TS val 1354191187 ecr 3941314599], length 188
1 packet captured
2 packets received by filter
0 packets dropped by kernel

@donald
Copy link
Collaborator Author

donald commented May 14, 2026

What do we need in the whitelist? Filesystems for USB sticks?

@thomas
Copy link
Contributor

thomas commented May 15, 2026

I see two approaches for generating the list:

  • collect all modules that are loaded on the running systems, check for single/exotic ones and use this big list.
  • try to find the modules that are usually loaded after the boot, assuming the kernel only loads the sane ones. This will be a smaller list. Here I guess that at the beginning there will be issues with overlooked modules?

USB sticks: the most popular filesystems should be in.

@donald
Copy link
Collaborator Author

donald commented May 15, 2026
edited
Loading

Maybe its the wrong approach, because our whitelist wouldn't contain all the modules which can be loaded. So if we know a bad module, we can't quickly check, that it is not on the whitelist, because it might be loaded as a dependency. If we want to avoid that, we'd probably need to mess with kmod (=modprobe, insmos, lsmod). More complex, but then the whitelist would be stricter (what is not on the list can't be loaded).

@donald donald mentioned this pull request May 17, 2026
Open
Sign in to join this conversation on GitHub.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@donald @thomas