madaidan via Whonix Forum:
I just found out that we should probably be using install (module) /bin/true
instead of using blacklist
as the blacklisted module can still be loaded if another module depends on it.
Sounds good.
Do you mean this patch?
Yes.
A lot of those features are easily replicated or enabled by default.
Please don’t replicate / duplicate code without strong rationale. If
lockdown can work for us, we should keep lockdown responsible to keep
maintenance effort at our side low in the long run.
It may be useful to blacklist some wireless devices to reduce attack
surface.
For example, to blacklist the kernel modules for bluetooth, add
blacklist btusb
blacklist bluetooth
to some file in /etc/modprobe.d.
A systemd service can also be configured to run rfkill block all
and
rfkill unblock wifi
to block all wireless devices except WiFi.
Sounds good but only if not duplicated by lockdown.