Re: [Tails-dev] Removing or blacklist kernel modules

Delete this message

Reply to this message
Author: intrigeri
Date:  
To: The Tails public development discussion list
Subject: Re: [Tails-dev] Removing or blacklist kernel modules
Hi,

(Created https://labs.riseup.net/code/issues/7639 to track this all.)

Jacob Appelbaum wrote (21 Jul 2014 19:54:57 GMT) :
> On 7/21/14, intrigeri <intrigeri@???> wrote:
>> However, removing modules altogether is no more work than blacklisting
>> them: we can do it either via chroot_local-hooks (and then, regenerate
>> the initrd's), or with the exclude file passed to mksquashfs (but in
>> this case, if any of the blacklisted module is in the initrd's, then
>> we're not really removing it; so likely a hook is better).
>>


> Is that true? Isn't blacklisting them as simple as adding a few lines
> to /etc/modprobe.d/blacklist.conf?


Right. Which is not much easier than maintaining a text file with
a list of module names, and writing a ~10-lines build-time hook that
runs find -delete on these names, and then runs update-initramfs.
If we prefer to remove modules entirely, I can do that.

In any case, I think the (one-time) cost of implementing this
mechanism will be totally neglictible, compared to the energy needed
to create and maintain the blacklist.

> I think there are some modules we will never want (eg: appletalk) and
> some people may oneday force load (ax25) for their HAM radio
> emergencies.


Good point. Then, we might want to keep some modules blacklisted, even
when we move from blacklisting to removing. So, we need two lists.

> Is the right place to put things in /etc/modprobe.d/blacklist.conf
> as I think?


I think we'll want to use a less generic name, such as
tails-blacklist.conf.

> This would be my first addition to that file:


I've just created https://tails.boum.org/blueprint/blacklist_modules/,
and added your list to it. Please add a rationale for each module
there (why it's useless and/or dangerous), as we won't just add
modules to the blacklist because someone pretending to be Jake on
a mailing-list said so :)

Also, for anyone interested in working on this blacklist, Ubuntu and
Fedora have had some for years:

* https://fedoraproject.org/wiki/Security_Features_Matrix#Blacklist_Rare_Protocols
* https://wiki.ubuntu.com/Security/Features#blacklist-rare-net

These are well tested, and would be a good basis. Likely we'll want to
go further in Tails, but at least *this* should really be ported to
Debian, and not carried as a Tails delta.

Cheers,
--
intrigeri