It may be useful to blacklist some wireless devices to reduce attack surface.
For example, to blacklist the kernel modules for bluetooth, add
blacklist btusb
blacklist bluetooth
to some file in /etc/modprobe.d.
A systemd service can also be configured to run rfkill block all and rfkill unblock wifi to block all wireless devices except WiFi.
I just found out that we should probably be using install (module) /bin/true instead of using blacklist as the blacklisted module can still be loaded if another module depends on it.
https://lists.debian.org/debian-security/2012/08/msg00016.html
With kernel lockdown we should be able to blacklist unused/uneeded modules. It is a more complete approach to cherry picking a few.
Do you mean this patch? A lot of those features are easily replicated or enabled by default.
We could make a list of all kernel modules and blacklist them while only allowing the ones we need. That’d be a lot of work though.
madaidan via Whonix Forum:
I just found out that we should probably be using
install (module) /bin/trueinstead of usingblacklistas the blacklisted module can still be loaded if another module depends on it.
Sounds good.
Do you mean this patch?
Yes.
A lot of those features are easily replicated or enabled by default.
Please don’t replicate / duplicate code without strong rationale. If
lockdown can work for us, we should keep lockdown responsible to keep
maintenance effort at our side low in the long run.
It may be useful to blacklist some wireless devices to reduce attack
surface.For example, to blacklist the kernel modules for bluetooth, add
blacklist btusb blacklist bluetoothto some file in /etc/modprobe.d.
A systemd service can also be configured to run
rfkill block alland
rfkill unblock wifito block all wireless devices except WiFi.
Sounds good but only if not duplicated by lockdown.
It isn’t really duplicating code. A lot of the features are already in the kernel, they just need to be enabled with sysctl.
The only thing to do with modules in lockdown that I’m seeing is preventing them from loaded after boot. Does lockdown blacklist any modules?
I’ve looked at the lockdown code and all it does is change 3 sysctl settings, two of which we already use (in security-misc) and the third one just prevents modules from being loaded after boot which isn’t that much of a security gain.
Either, I’m missing something massive or lockdown is mostly useless for us.
It prevents anything not needed by the system from loading. Bear in mind we cannot anticipate all hardware configs for Whonix hosts to set these parameters permanently by default. This will cause problems and users to complain why hardware X is not working.
There is no added benefit for this IMO because malicious code already has plenty of choices when running as root than loading extra modules. (user mode code can’t load modules and needs privilege escalation which isn’t too hard on current Linux systems anyway).
It only prevents them from being loaded after boot. It doesn’t blacklist the modules so they can still be loaded. Preventing modules from being loaded after boot can be done by setting kernel.modules_disabled=1 with sysctl instead of installing a whole new program.
Modules like bluetooth modules will still be loaded at boot when used with lockdown as it does nothing to block those.