summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authoranonym <anonym@riseup.net>2017-03-03 13:00:57 +0100
committeranonym <anonym@riseup.net>2017-03-03 13:20:16 +0100
commit442a293d896076a1a8242d8d4f3320dc016495bb (patch)
tree2c65b07ec1dc5c3540f662e0fb81c1db796818ed
parentcc671569afec86951a3c787e722ee4eee6525769 (diff)
Disable modules we blacklist for security reasons.
Blacklisted (via `blacklist MODULENAME`) modules are only blocked from being loaded during the boot process, but are still loadable with an explicit `modprobe MODULENAME`, and (worse!) via kernel module auto-loading.
-rwxr-xr-xconfig/chroot_local-hooks/80-block-network4
-rw-r--r--config/chroot_local-includes/etc/modprobe.d/no-mei.conf4
-rwxr-xr-xconfig/chroot_local-includes/usr/local/lib/tails-spoof-mac3
3 files changed, 6 insertions, 5 deletions
diff --git a/config/chroot_local-hooks/80-block-network b/config/chroot_local-hooks/80-block-network
index f6b4dd0..1d375b3 100755
--- a/config/chroot_local-hooks/80-block-network
+++ b/config/chroot_local-hooks/80-block-network
@@ -5,6 +5,6 @@ set -e
echo "Generating blocklist for all network devices"
find /lib/modules/*/kernel/drivers/net \
- -name "*.ko" -printf "blacklist %f\n" | \
- sed 's/\.ko$//' | \
+ -name "*.ko" -printf "install %f /bin/true\n" | \
+ sed 's/\.ko / /' | \
sort -u > /etc/modprobe.d/all-net-blacklist.conf
diff --git a/config/chroot_local-includes/etc/modprobe.d/no-mei.conf b/config/chroot_local-includes/etc/modprobe.d/no-mei.conf
index 1d917d1..7a51479 100644
--- a/config/chroot_local-includes/etc/modprobe.d/no-mei.conf
+++ b/config/chroot_local-includes/etc/modprobe.d/no-mei.conf
@@ -1,2 +1,2 @@
-blacklist mei-me
-blacklist mei
+install mei-me /bin/true
+install mei /bin/true
diff --git a/config/chroot_local-includes/usr/local/lib/tails-spoof-mac b/config/chroot_local-includes/usr/local/lib/tails-spoof-mac
index 774a347..b43811c 100755
--- a/config/chroot_local-includes/usr/local/lib/tails-spoof-mac
+++ b/config/chroot_local-includes/usr/local/lib/tails-spoof-mac
@@ -75,7 +75,8 @@ mac_spoof_panic() {
fi
module=$(get_module_used_by_nic "${nic}")
nic_name="$(get_name_of_nic ${nic})"
- echo "blacklist ${module}" >> /etc/modprobe.d/"${module}"-blacklist.conf
+ echo "install ${module} /bin/true" >> \
+ /etc/modprobe.d/"${module}"-blacklist.conf
unload_module_and_rev_deps "${module}" || :
if nic_exists "${nic}"; then
log "Failed to unload module ${module} of NIC ${nic}."