titanz/Kernel-Module-Blacklist
1
0
Fork 0
mirror of https://github.com/TommyTran732/Kernel-Module-Blacklist.git synced 2025-02-23 13:09:23 +01:00
Code Issues Packages Projects Releases Wiki Activity
Kernel-Module-Blacklist/README.md
Tommy a8a06c476c
Typo fix 
Signed-off-by: Tommy <contact@tommytran.io>
2024-06-03 00:08:32 -07:00

3.0 KiB
Raw Blame History

Kernel Module Blacklist

This is my attempt at making a common kernel module blacklist that can be used across different systems. The goal is to be as strict as possible with this blacklist while not breaking common functionality and applications.

The idea here is that we collect the list of kernel modules available and the list of kernel modules actively used on production systems. Unused kernel modules will be added to the blacklist. For a bit of convienience and reliability, we will also not blacklist the modules listed kmod-filter-start and kmod-filter-all.

Required data

If you want to send me your data, at minimum you will need the following:

  • The available kernel module on your system. This can be obtained with:
ls -R /lib/modules/"$(uname -r)"/kernel/{drivers,fs,net,sound} | grep "\.ko" | sed 's/.ko.xz//g' > blacklist.txt
  • The kernel modules being used on your system. This can be obtained with:
lsmod | awk '{ print $1 }' > necessary.txt

  • Your hardware type (What laptop model is it? Which cloud provider hosts this vps? etc).

  • The output of cat /proc/version.

Additionally, the output of lshw, information on your workload, etc will be greatly appreciated, but they are not necessary.

Supported hardwware/Workload

Reasonably new and common hard hardware and will be added to the sample-data directory and used to generate the kernel module blacklist. The same goes for server workloads - if it is a reasonably common workload, it will be supported.

One exception for this is the use of technologies that are known to be vulnerable, such as Thunderbolt. Their kernel module will always remain blacklisted and whichever workload relies on them will not be supported.

Niche systems will be added to the sample-data-not-used directory. Old systems in sample-data will also be moved to sample-data-not-used when they eventually become irrelevant. Systems in this directory will not be used to generate the kernel module blacklist, however their information will be available for the public just in case someone may find it helpful. You can still generate your own blacklist according to your liking.

Generate your own blacklist

  • Follow the instructions above get the list of availble and necessary kernel modules on each of your system.
  • Put your data in the appropriate directories in sample-data.
  • Adjust the filter list in kmod-filter-start and kmod-filter-all. Kernel modules with a name starting with a string inside kmod-filter-start will be removed from the blacklist. Likewise, kernel modules with a name containing the a string inside kmod-filter-all will also be removed from the blacklist.
  • Run generate-kmod-blacklist-aggregate. The generated blacklist will be put in etc/modprobe.d.

Alternatively, if you only want to generate a blacklist for 1 specific running system, you can use generate-kmod-blacklist instead. Note that this will not apply the whitelist in kmod-filter-start and kmod-filter-all.