Dieser Bereich kann Inhalte enthalten, die nicht für alle Nutzer geeignet sind. Dazu können unter anderem Texte, Medien oder Diskussionen gehören, die als beleidigend, extremistisch, gewaltbezogen oder anderweitig belastend empfunden werden. Wenn du solche Inhalte nicht sehen möchtest, nutze bitte die jeweiligen Filter- und Meldeoptionen der Plattform oder meide entsprechende Threads/Communities.
Clearly you know of lot about this. Here are some comments for the next human.
Deny all modules seems more possible than a whitelist approach. To deny all, the command is likely “sysctl kernel.modules_disabled=1”.
Whitelisting is harder. One could store a list of all loaded modules on a working system. Store a list of all kernel modules currently installed on the system. Compare the lists and remove from the “all” list the “running” list (grep will do this) and write it to the blacklist file.
The problem with the Whitelisting approach is that it needs to run after every kernel module install (which is doable).
If the above is the case, then someone must have automated this already, but I cannot find it quickly. (I checked Debian’s package repository.)
Nah, that is the problem. It all got so dynamic and easy I don’t really know how the hundreds of active modules on my desktop are loaded, why or in what order anymore. The days when I could list a handful of modules to load at boot are long gone I think unless its an embedded device or perhaps a simple server.
Setting modules_disabled might be viable for a relatively static system. I have seen that one when looking at hardening servers in the past but thought it was a bit extreme. Perhaps not.