Re: [Tails-dev] Removing or blacklist kernel modules

Delete this message

Reply to this message
Author: Jacob Appelbaum
Date:  
To: The Tails public development discussion list
Subject: Re: [Tails-dev] Removing or blacklist kernel modules
On 7/21/14, intrigeri <intrigeri@???> wrote:
> Hi,
>
> (Created https://labs.riseup.net/code/issues/7639 to track this all.)
>


Thanks!

> Jacob Appelbaum wrote (21 Jul 2014 19:54:57 GMT) :
>> On 7/21/14, intrigeri <intrigeri@???> wrote:
>>> However, removing modules altogether is no more work than blacklisting
>>> them: we can do it either via chroot_local-hooks (and then, regenerate
>>> the initrd's), or with the exclude file passed to mksquashfs (but in
>>> this case, if any of the blacklisted module is in the initrd's, then
>>> we're not really removing it; so likely a hook is better).
>>>
>
>> Is that true? Isn't blacklisting them as simple as adding a few lines
>> to /etc/modprobe.d/blacklist.conf?
>
> Right. Which is not much easier than maintaining a text file with
> a list of module names, and writing a ~10-lines build-time hook that
> runs find -delete on these names, and then runs update-initramfs.
> If we prefer to remove modules entirely, I can do that.


Sounds reasonable.

>
> In any case, I think the (one-time) cost of implementing this
> mechanism will be totally neglictible, compared to the energy needed
> to create and maintain the blacklist.


I think we should consider using the Ubuntu list of modules as a starting point.

>
>> I think there are some modules we will never want (eg: appletalk) and
>> some people may oneday force load (ax25) for their HAM radio
>> emergencies.
>
> Good point. Then, we might want to keep some modules blacklisted, even
> when we move from blacklisting to removing. So, we need two lists.
>


Sure, we may need two lists in the long run.

>> Is the right place to put things in /etc/modprobe.d/blacklist.conf
>> as I think?
>
> I think we'll want to use a less generic name, such as
> tails-blacklist.conf.
>


The reason I suggested blacklist.conf is that it already exists. If
you want to create a different file, it certainly won't make sense to
send it directly to Debian; won't it remain a Tails delta?

>> This would be my first addition to that file:
>
> I've just created https://tails.boum.org/blueprint/blacklist_modules/,
> and added your list to it. Please add a rationale for each module
> there (why it's useless and/or dangerous), as we won't just add
> modules to the blacklist because someone pretending to be Jake on
> a mailing-list said so :)
>


Ok.

> Also, for anyone interested in working on this blacklist, Ubuntu and
> Fedora have had some for years:
>
> *
> https://fedoraproject.org/wiki/Security_Features_Matrix#Blacklist_Rare_Protocols
> * https://wiki.ubuntu.com/Security/Features#blacklist-rare-net
>


Shall we take those two as the base sets to list?

> These are well tested, and would be a good basis. Likely we'll want to
> go further in Tails, but at least *this* should really be ported to
> Debian, and not carried as a Tails delta.


How would Debian want such a patch? It seems unlikely that
tails-blacklist.conf will be taken upstream by the name alone...

All the best,
Jacob