Re: [Tails-dev] Removing or blacklist kernel modules

Delete this message

Reply to this message
Author: intrigeri
Date:  
To: The Tails public development discussion list
Subject: Re: [Tails-dev] Removing or blacklist kernel modules
Hi,

Jacob Appelbaum wrote (22 Jul 2014 08:34:59 GMT) :
> On 7/21/14, intrigeri <intrigeri@???> wrote:
>> Jacob Appelbaum wrote (21 Jul 2014 19:54:57 GMT) :
>>> Is that true? Isn't blacklisting them as simple as adding a few lines
>>> to /etc/modprobe.d/blacklist.conf?
>>
>> Right. Which is not much easier than maintaining a text file with
>> a list of module names, and writing a ~10-lines build-time hook that
>> runs find -delete on these names, and then runs update-initramfs.
>> If we prefer to remove modules entirely, I can do that.


> Sounds reasonable.


OK, glad we found an agreement :)

Jurre, what do you think? Does the general plan (starting with
blacklisting, then removing all of the blacklisted modules but some)
make sense to you? If so, please close #7575, and either add the plan
to the blueprint, or ask me to do it.

>>> Is the right place to put things in /etc/modprobe.d/blacklist.conf
>>> as I think?
>>
>> I think we'll want to use a less generic name, such as
>> tails-blacklist.conf.
>>


> The reason I suggested blacklist.conf is that it already exists. If
> you want to create a different file, it certainly won't make sense to
> send it directly to Debian; won't it remain a Tails delta?


That file only exists on Squeeze: it was removed in udev 175-1.

The filename that'll be used on Debian probably depends on the package
we want to sneak it into. Also, it's probably a good idea to have the
blacklist split into smaller, per-topic files. E.g. both Fedora and
Ubuntu currently ship /etc/modprobe.d/blacklist-rare-network.conf.
On Trusty, it's provided by the kmod package:

http://packages.ubuntu.com/trusty/i386/kmod/filelist

It would be good to start a discussion about it with the Debian
security team and the kmod maintainers.

Wrt. the content and process, I suggest proposing them to take
Ubuntu's rare network protocols blacklist as-is, to start with. I hope
this shouldn't be to hard to have accepted, assuming we provide a good
rationale, e.g. short history of security holes in these modules,
explanation why it's not used much, and feedback from Fedora/Ubuntu
developers (ask e.g. Kees and John Johansen). It may require a patch
against the Jessie release notes, to smooth things a bit, though.

Jake, want to initiate this discussion?

Cheers,
--
intrigeri