I think I found a way to make disabling kernel module loading (via /proc/sys/kernel/modules_disabled) easier for server admins. Right now there’s kind of a weird problem on some distros where reading /etc/modules races with reading /etc/sysctl.{conf,d}. In these cases, you can’t just put “kernel.modules_disabled=1” in the latter since you might not have finished loading modules from /etc/modules.
Before now, on my own systems, I’d added the sysctl call to my /etc/rc.local, which seems like a hack — that file is related to neither sysctl nor modules and both subsystems have their own configuration files, but it does happen absolutely last.
Instead, I’ve now defined “disable” as a modprobe alias via /etc/modprobe.d/disable.conf:
# To disable module loading after boot, "modprobe disable" can be used to # set the sysctl that controls module loading. install disable /sbin/sysctl kernel.modules_disabled=1
And then in /etc/modules I can list all the modules I actually need, and then put “disable” on the last line. (Or, if I want to not remember the sysctl path, I can manually run “modprobe disable” to turn off modules at some later point.)
I think it’d be cool this this become an internal alias in upstream kmod.
© 2012, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
Hello Mr Kees Cook. It is very nice, but I would like to ask a question. You wrote, that in “/etc/modules I can list all the modules I actually need, and then put “disable'(…)” – it is enough to add results of the ‘lsmod’ command? I mean the name of modules, for example, ‘joydev’ or ‘snd_pcm’ modules? So ‘/etc/modules’ file will look more or less in this way;
,—-
| iptable_filter
| (…)
| lp
| joydev
`—-
Is that correct?
Comment by daniel curtis — November 29, 2012 @ 8:41 am
Yup! That’s what I did.
Comment by kees — November 29, 2012 @ 10:35 am
Hello again! Thank you for your contribution to the safety of the Linux. I really appreciate it. One more thing; should I create ‘/etc/modprobe.d/disable.conf’ file? I’m so confused. ;-)
Regards, Mr Cook.
Comment by daniel — November 29, 2012 @ 11:19 am
Yup, if you want to use the “disable” alias, you need to define it by creating /etc/modprobe.d/disable.conf and fill it with the contents I mentioned in the post.
Comment by kees — November 29, 2012 @ 11:23 am
Okay, thank You. It is very smart, you know? Certainly it will increase the level of system security. Maybe you should announce it for example on lwn.net website? ;-)
Comment by daniel — November 29, 2012 @ 11:37 am
Hello, last question. You wrote: “And then in /etc/modules (…) put “disable” on the last line. (…)”. Did I have to put ‘disable’ exactly in the /etc/modules file? Do I understand it? So, it should look this way; ‘/etc/modules’ file:
,———–
| (…)
| lp
| snd
| usbhid
| hid
| floppy
| (…)
| disable
`———–
Then, in the created ‘/etc/modprobe.d/disable.conf’ file, I should put;
,———–
| install disable /sbin/sysctl kernel.modules_disabled=1
`———–
That’s all? Sorry for asking again about it, but… I just want to be completly sure.
Best regards, Mr Cook.
Comment by daniel — December 1, 2012 @ 10:22 am