madaidan via Whonix Forum:
I just found out that we should probably be using
install (module) /bin/true instead of using
blacklist as the blacklisted module can still be loaded if another module depends on it.
Do you mean this patch?
A lot of those features are easily replicated or enabled by default.
Please don’t replicate / duplicate code without strong rationale. If
lockdown can work for us, we should keep lockdown responsible to keep
maintenance effort at our side low in the long run.
It may be useful to blacklist some wireless devices to reduce attack
For example, to blacklist the kernel modules for bluetooth, add
to some file in /etc/modprobe.d.
A systemd service can also be configured to run
rfkill block all and
rfkill unblock wifi to block all wireless devices except WiFi.
Sounds good but only if not duplicated by lockdown.