codeblog code is freedom — patching my itch

11/28/2012

clean module disabling

Filed under: Blogging,Chrome OS,Security,Ubuntu,Ubuntu-Server — kees @ 3:55 pm

I think I found a way to make disabling kernel module loading (via /proc/sys/kernel/modules_disabled) easier for server admins. Right now there’s kind of a weird problem on some distros where reading /etc/modules races with reading /etc/sysctl.{conf,d}. In these cases, you can’t just put “kernel.modules_disabled=1” in the latter since you might not have finished loading modules from /etc/modules.

Before now, on my own systems, I’d added the sysctl call to my /etc/rc.local, which seems like a hack — that file is related to neither sysctl nor modules and both subsystems have their own configuration files, but it does happen absolutely last.

Instead, I’ve now defined “disable” as a modprobe alias via /etc/modprobe.d/disable.conf:

# To disable module loading after boot, "modprobe disable" can be used to
# set the sysctl that controls module loading.
install disable /sbin/sysctl kernel.modules_disabled=1

And then in /etc/modules I can list all the modules I actually need, and then put “disable” on the last line. (Or, if I want to not remember the sysctl path, I can manually run “modprobe disable” to turn off modules at some later point.)

I think it’d be cool this this become an internal alias in upstream kmod.

© 2012, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

Share and Enjoy:
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • Technorati
  • Identi.ca
  • Reddit
  • Twitter

6 Comments »

  1. Hello Mr Kees Cook. It is very nice, but I would like to ask a question. You wrote, that in “/etc/modules I can list all the modules I actually need, and then put “disable’(…)” – it is enough to add results of the ‘lsmod’ command? I mean the name of modules, for example, ‘joydev’ or ‘snd_pcm’ modules? So ‘/etc/modules’ file will look more or less in this way;

    ,—-
    | iptable_filter
    | (…)
    | lp
    | joydev
    `—-

    Is that correct?

    Comment by daniel curtis — 11/29/2012 @ 8:41 am

  2. Yup! That’s what I did.

    Comment by kees — 11/29/2012 @ 10:35 am

  3. Hello again! Thank you for your contribution to the safety of the Linux. I really appreciate it. One more thing; should I create ‘/etc/modprobe.d/disable.conf’ file? I’m so confused. ;-)

    Regards, Mr Cook.

    Comment by daniel — 11/29/2012 @ 11:19 am

  4. Yup, if you want to use the “disable” alias, you need to define it by creating /etc/modprobe.d/disable.conf and fill it with the contents I mentioned in the post.

    Comment by kees — 11/29/2012 @ 11:23 am

  5. Okay, thank You. It is very smart, you know? Certainly it will increase the level of system security. Maybe you should announce it for example on lwn.net website? ;-)

    Comment by daniel — 11/29/2012 @ 11:37 am

  6. Hello, last question. You wrote: “And then in /etc/modules (…) put “disable” on the last line. (…)”. Did I have to put ‘disable’ exactly in the /etc/modules file? Do I understand it? So, it should look this way; ‘/etc/modules’ file:

    ,———–
    | (…)
    | lp
    | snd
    | usbhid
    | hid
    | floppy
    | (…)
    | disable
    `———–

    Then, in the created ‘/etc/modprobe.d/disable.conf’ file, I should put;

    ,———–
    | install disable /sbin/sysctl kernel.modules_disabled=1
    `———–

    That’s all? Sorry for asking again about it, but… I just want to be completly sure.

    Best regards, Mr Cook.

    Comment by daniel — 12/1/2012 @ 10:22 am

RSS feed for comments on this post. TrackBack URL

Leave a comment

Powered by WordPress