Commit 442a293d authored by anonym's avatar anonym
Browse files

Disable modules we blacklist for security reasons.

Blacklisted (via `blacklist MODULENAME`) modules are only blocked from
being loaded during the boot process, but are still loadable with an
explicit `modprobe MODULENAME`, and (worse!) via kernel module
auto-loading.
parent cc671569
......@@ -5,6 +5,6 @@ set -e
echo "Generating blocklist for all network devices"
find /lib/modules/*/kernel/drivers/net \
-name "*.ko" -printf "blacklist %f\n" | \
sed 's/\.ko$//' | \
-name "*.ko" -printf "install %f /bin/true\n" | \
sed 's/\.ko / /' | \
sort -u > /etc/modprobe.d/all-net-blacklist.conf
blacklist mei-me
blacklist mei
install mei-me /bin/true
install mei /bin/true
......@@ -75,7 +75,8 @@ mac_spoof_panic() {
fi
module=$(get_module_used_by_nic "${nic}")
nic_name="$(get_name_of_nic ${nic})"
echo "blacklist ${module}" >> /etc/modprobe.d/"${module}"-blacklist.conf
echo "install ${module} /bin/true" >> \
/etc/modprobe.d/"${module}"-blacklist.conf
unload_module_and_rev_deps "${module}" || :
if nic_exists "${nic}"; then
log "Failed to unload module ${module} of NIC ${nic}."
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment