:: Re: [DNG] Dirtyfrag
Top Page
This message is part of the following thread:
M-\the complete thread tree sorted by date
M\Msawbona at <-
MMM 
Delete this message
Reply to this message
Author: Arnt Karlsen
Date:  
To: dng
New-Topics: [DNG] Own kernel, whitelist modules, BCacheFS and what else you may come up with (was: Re: Dirtyfrag)
Subject: Re: [DNG] Dirtyfrag
On Fri, 08 May 2026 14:10:39 +0200, Martin wrote in message
<2085969.usQuhbGJ8B@laptop>:

> Greetings,
>
> sawbona@??? - 08.05.26, 13:03:07 CEST:
> > On 8 May 2026 at 12:30, Martin Steigerwald wrote:
> > > I think the syntax is:
> > >
> > > [code]
> > > $ cat /etc/modprobe.d/blacklist-dirtyflag.conf
> > > blacklist esp4
> > > blacklist esp6
> > > blacklist rxrpc
> > > $
> > > [/code]
> > >
> > > That is at least what I use for another case and it works.
> >
> > It does.
> > But I understand that *just* blacklisting would allow any other
> > non-blacklisted module to call and load a blacklisted module.
> >
> > See here ...
> > https://forums.debian.net/viewtopic.php?t=160075
> >
> > and here:
> >
> > https://wiki.debian.org/
> > KernelModuleBlacklisting#Blacklist_with_fake_install[/url]
>
> Thanks. That is an important distinction, I did not know yet.
>
> For preventing certain drivers to load the modprobe.d approach worked
> for me, but indeed I have four modules mentioned. With the fake
> install method I would probably just have needed one.
>
> So for this security issue I'd recommend the fake install method.

..the classic classy way is build your own kernel packages, tossing
out all the systemd etc crap we do not want, and keeping only the
modules we do want, "if it's not there, it cannot be loaded",
effectively creating the module whitelist effect we want. ;o)
https://kernel-team.pages.debian.net/kernel-handbook/ch-common-tasks.html#s-common-official

..note that official Debian kernel packages are patched to remove
stuff from the pristine (also sometimes called "vanilla") kernel
sources and add stuff that the Debian systemd fanbois wants and
that we might disagree on, which is why we might wanna start from
the pristine kernel sources and do our own pick-and-choose patching:
https://wiki.debian.org/CategoryKernel
https://wiki.debian.org/KernelGit?highlight=%28%5CbCategoryKernel%5Cb%29
https://kernel-team.pages.debian.net/kernel-handbook/ch-common-tasks.html#s-kernel-org-package

..alleged outdated docs that might fit us better:
https://debian-handbook.info/browse/stable/sect.kernel-compilation.html
https://wiki.debian.org/BuildADebianKernelPackage?highlight=%28%5CbCategoryKernel%5Cb%29


--
..med vennlig hilsen = with Kind Regards from Arnt Karlsen
...with a number of polar bear hunters in his ancestry...
Scenarios always come in sets of three:
best case, worst case, and just in case.
This message was posted to the following mailing lists:
dng
Mailing List Info | Nearby Messages		<-[DNG] elogind 257.13 (was: Re: dracut needing a fork? apt wants to remove elogind libraries)[DNG] Own kernel, whitelist modules, BCacheFS and what else you may come up with (was: Re: Dirtyfrag)->

Donate to Dyne.org

dyne.org open discussions
administrated by dyne.org hackers		Lurker (version 2.3)