[ubuntu-hardened] Blocking module loading and System booting.

Kees Cook kees at ubuntu.com
Fri May 15 22:25:59 UTC 2015 

On Fri, May 15, 2015 at 02:43:18PM -0700, Seth Arnold wrote:
> On Fri, May 15, 2015 at 08:29:19PM +0200, Daniel Curtis wrote:
> > I would ask about a block module loading which is offered
> > as a one of the Ubuntu security feature [1]. The advantage
> > of this kind of defense is that it could prevent system
> > damage etc.
> > 
> > One of such defense is to remove capability of loadable
> > kernel modules entirely. So, if I set a block module loading
> > via setting "1" in /proc/sys/kernel/modules_disabled, then
> > system will start normally without any issues?
> > 
> > Of course modules loading (after user log in) will be
> > impossible, but Ubuntu will load all necessary modules and start/boot
> > normally, right? (I mean before user login). And
> > ready to use, just like before blocking module loading?
> 
> Hello Daniel,
> 
> If you wish to disable module loading, I recommend doing so via
> /etc/rc.local; I believe this will run after the rest of the startup
> tasks, which should on-demand load whatever is needed during early boot.
> 
> Before doing this, it would be a good idea to look through the output of
> lsmod on a running, working, system, and configuring whatever modules you
> need in /etc/modules-load.d/ manually -- some tasks like VPNs or ecryptfs
> mounts or CIFS mounts might cause modules to be loaded well after boot,
> and if your environment relies upon these modules, it'd be best to ensure
> they are loaded before preventing further module loading.
> 
> I hope this helps.

It turns out it's not as simple as putting this in rc.local, as this may
still race things in /etc/init. I recommend an upstart job that makes sure
both module-init-tools and 'rc' (the fall-back sysv script runner) have
finished. For example, as /etc/init/modules-disable.conf:

# modules-disable - disable modules after rc scripts are done
#
description     "disable loading modules"

start on stopped kmod and stopped rc

task
script
    echo 1 > /proc/sys/kernel/modules_disabled
end script


Anything you may need "on demand" (like, a usb keyboard in a colocation
facility), add to /etc/modules ahead of time so they get preloaded.

-Kees

-- 
Kees Cook

More information about the ubuntu-hardened mailing list