Blacklist more kernel modules to reduce attack surface

As per linux - Methods root can use to elevate itself to kernel mode - Information Security Stack Exchange, we should disable CPU MSRs.

MSRs are only exposed when the msr module is loaded so we can blacklist that module to prevent them from being abused.

1 Like

Does this break virt-detect?

1 Like

Good point but even if it does, that is only required by two features.

  • [1] power-savings-disable-in-vms
  • [2] whonixcheck warn against unsupported virtualizers

Non-essential features. [1] could be implemented in another way.

Kicksecure has both, VM and host packages:

  • kicksecure-cli-vm / kicksecure-cli
  • kicksecure-xfce-vm / kicksecure-xfce

Whonix doesn’t have that yet and it’s difficult to make the conversion for existing users. (Since this is the “top level” meta package.)

[2] might be lost but I guess that is a feature reduction we can endure.

1 Like

No. MSRs have nothing to do with that.

1 Like

I’m pretty sure they do because when i blocked access to them using libvirt it broke hypervisor detection, but @Patrick explained it’s not a big deal.

1 Like

No, you can even test it yourself by running systemd-detect-virt and seeing the msr module isn’t even loaded.

2 Likes

Good to know. Then go for it :grinning:

2 Likes
1 Like

Merged.

2 Likes
1 Like
W: security-misc: obsolete-command-in-modprobe.d-file etc/modprobe.d/30_security-misc.conf install
N:
W: obsolete-command-in-modprobe.d-file
N:
N:   Use of 'install' and 'remove' commands in module files in
N:   /etc/modprobe.d and /etc/modules-load.d is deprecated and should be
N:   replaced with 'softdep' commands.
N:   
N:   Severity: warning
N:   
N:   Check: modprobe
N:

I don’t think softdep would replace security-misc use case of install msr /bin/false etc.

Finally, the use of /bin/false should perhaps be replaced with /bin/true.
Blacklist more kernel modules by raja-grewal · Pull Request #109 · Kicksecure/security-misc · GitHub

I prefer module load failures to produce error messages that can be investigated over silent breakage that is hard to track down what is causing it.

Could you please revert that specific commit?

Instead of /bin/false perhaps the following would be even easier to investigate?

/bin/disabled-by-security-misc

#!/bin/bash
echo "$0: ERROR: This kernel module is disabled by package security-misc by default. Most likely by configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2
exit 1

Good point, I reverted that commit.

I also agree that having a unique error for blacklisted modules would be easier to trace and have implemented your suggestion.

Will test more thoroughly soon.

1 Like

Merged, thank you!

I am not sure blacklisting CD-ROM is a good idea yet. Therefore commented out for now.

There will be a Kicksecure ISO live / installer at some point as well as the same for Whonix-Host. As implemented now, that ISO might be broken by default when booting from DVD.

poll:

There might be be a way to un-blacklist CD-ROM / DVD for ISO only.

Modules cdrom / sr_mod probably also required to boot a live / installer ISO inside a VM?

Added more kernel modules to the blacklist. Currently they are all prevented from automatically loading rather than being permanently disabled. We can then potentially begin the process of disabling them once compatibility is understood.

Perhaps simply blocking them from automatically loading for the time being would be an acceptable middle-ground until this can be investigated further?

1 Like