Hi, (Created https://labs.riseup.net/code/issues/7639 to track this all.)
Jacob Appelbaum wrote (21 Jul 2014 19:54:57 GMT) : > On 7/21/14, intrigeri <intrig...@boum.org> wrote: >> However, removing modules altogether is no more work than blacklisting >> them: we can do it either via chroot_local-hooks (and then, regenerate >> the initrd's), or with the exclude file passed to mksquashfs (but in >> this case, if any of the blacklisted module is in the initrd's, then >> we're not really removing it; so likely a hook is better). >> > Is that true? Isn't blacklisting them as simple as adding a few lines > to /etc/modprobe.d/blacklist.conf? Right. Which is not much easier than maintaining a text file with a list of module names, and writing a ~10-lines build-time hook that runs find -delete on these names, and then runs update-initramfs. If we prefer to remove modules entirely, I can do that. In any case, I think the (one-time) cost of implementing this mechanism will be totally neglictible, compared to the energy needed to create and maintain the blacklist. > I think there are some modules we will never want (eg: appletalk) and > some people may oneday force load (ax25) for their HAM radio > emergencies. Good point. Then, we might want to keep some modules blacklisted, even when we move from blacklisting to removing. So, we need two lists. > Is the right place to put things in /etc/modprobe.d/blacklist.conf > as I think? I think we'll want to use a less generic name, such as tails-blacklist.conf. > This would be my first addition to that file: I've just created https://tails.boum.org/blueprint/blacklist_modules/, and added your list to it. Please add a rationale for each module there (why it's useless and/or dangerous), as we won't just add modules to the blacklist because someone pretending to be Jake on a mailing-list said so :) Also, for anyone interested in working on this blacklist, Ubuntu and Fedora have had some for years: * https://fedoraproject.org/wiki/Security_Features_Matrix#Blacklist_Rare_Protocols * https://wiki.ubuntu.com/Security/Features#blacklist-rare-net These are well tested, and would be a good basis. Likely we'll want to go further in Tails, but at least *this* should really be ported to Debian, and not carried as a Tails delta. Cheers, -- intrigeri _______________________________________________ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.