Chris's Wiki :: blog/linux/KernelModuleWhitelistWish Commentshttps://utcc.utoronto.ca/~cks/space/blog/linux/KernelModuleWhitelistWish?atomcommentsDWiki2017-03-09T14:49:53ZRecent comments in Chris's Wiki :: blog/linux/KernelModuleWhitelistWish.By Simon Deziel on /blog/linux/KernelModuleWhitelistWishtag:CSpace:blog/linux/KernelModuleWhitelistWish:6f69773e28b8b7a53a3260c0be661de599cea58bSimon Dezielhttps://sdeziel.info<div class="wikitext"><p>Maybe using a wrapper script around modprobe would work? That wrapper would check the whitelist before actually calling the real modprobe.</p>
</div>2017-03-09T14:49:53ZBy Albert on /blog/linux/KernelModuleWhitelistWishtag:CSpace:blog/linux/KernelModuleWhitelistWish:cc2a5f46eb3eaff3a87c9245d56f13f316280e28Albert<div class="wikitext"><p>I suppose you could write your own whitelist then a simple shell script that scans through /lib/modules/<kernel_version> and programmatically generates the blacklist including all the modules it finds except the whitelisted ones.
Just a thought.</p>
</div>2017-03-09T10:32:30ZBy Guus Snijders on /blog/linux/KernelModuleWhitelistWishtag:CSpace:blog/linux/KernelModuleWhitelistWish:d37d718898aae562af9e11dfb835b8b7ab201033Guus Snijders<div class="wikitext"><blockquote><p>Obviously, what would be better is a whitelist; we'd check over our
systems and whitelist only the modules that we needed or expected to
need. All other modules would be blocked by default, perhaps with
some way to log attempts to load a module so we could find out when
one is missing from our whitelist.</p>
</blockquote>
<p>Actually, you can. It's a bit dirty, but should work.</p>
<p>As all modules a basically files, one could choose to move the tree somewhere else and then copy the wanted modules. </p>
<p>I must admit that I'm not sure how the lookup of modules works exactly. I guess only /lib/modules/$kernelversion is looked at, but i could be wrong.</p>
<p>This approach would require thorough testing and get's messy on kernel updates/upgrades, but I guess that goes for most whitelist operations.</p>
</div>2017-03-09T09:52:34ZBy Cian on /blog/linux/KernelModuleWhitelistWishtag:CSpace:blog/linux/KernelModuleWhitelistWish:2978dc0a0a1d258b77f78e8f8a25b97c2dc8ea21Cian<div class="wikitext"><p>Could you deal with this by manually loading all the modules you might need, and then setting the sysctl to prevent module loading?</p>
</div>2017-03-09T07:27:01Z