Linux denied all kernel modules which not loaded right now

mgeins · 2026-05-09 09:39:00

Hello,

As far as i understood the latest CVE are all depend on loading kernel modules which "normal" not loaded.

First thing would be you compile a kernel without it. https://github.com/graysky2/modprobed-db/ is a very nice tool to know which module you need.

But what a solution in the future if you not want to build kernel?

Would it be nice to list all current loaded modules and denied all other with "/etc/modprobe.d/denied.conf" ?

This command would list all kernel modules

fd -e zst -tf . /lib/modules/$(uname -r)

This should list only the files name but don't work

basename $(fd -e zst -tf . /lib/modules/$(uname -r))

Last thing would be strip the file extention and then add

"$modulename /bin/false" to /etc/modprobe.d/denied.conf

Then it would logged in journald if someone try.

Anyone have some thought about that?

5hridhyan · 2026-05-09 09:45:13

└─$ basename $(fd -e zst -tf . /lib/modules/$(uname -r))
basename: extra operand ‘/lib/modules/7.0.3-arch1-2/kernel/sound/xen/snd_xen_front.ko.zst’

so the better approach might be

fd -e zst -tf . /lib/modules/$(uname -r) -x basename

or strip extension cleanly

fd -e zst -tf . /lib/modules/$(uname -r) \
| xargs -n1 basename \
| sed 's/\.ko\.zst$//'

Edit:
About /etc/modprobe.d/denied.conf,, it works but I believe the more standard/safer way is

install modulename /bin/false

Edit2:
To my understanding kernel module loading isn’t always direct, like for example, a request might be for a device alias, not the module name
modprobe resolves that alias => loads the module, so like just listing .ko.zst filenames doesn’t fully capture, "What can be triggered indirectly"...

-------
Edit3
I'm kinda paranoid, like if your system doesn’t need dynamic modules

echo 1 | sudo tee /proc/sys/kernel/modules_disabled

No modules can be loaded at all, must reboot to undo
Use a “deny list” for high-risk modules, like instead of denying everything, block; filesystems you don’t use (cramfs, freevxfs, etc.), "rare" networking protocols, obscure drivers

Last edited by 5hridhyan (2026-05-09 10:09:44)

mgeins · 2026-05-09 10:28:42

echo 1 | sudo tee /proc/sys/kernel/modules_disabled

But this only works after boot and have to set manual/script when doing /etc/sysctl.d/ then you need all modules in initramfs and you have to know what right or even that don't work!?

5hridhyan · 2026-05-09 10:37:20

True,
But I think that’s kind of the point, initramfs is part of the trusted boot chain, so modules loaded there are assumed safe/required
the goal of modules_disabled=1 is more about reducing attack surface *after* the system reaches userspace, where module auto-loading could be triggered indirectly (aliases, device events, yada yada yada)
like it's less about "no modules ever" and more about "freeze the module state once the system is up".

for systems that don’t need dynamic module loading, you can just make sure required modules are in initramfs (mkinitcpio etc), then disable further loading
That said yeah, it does require knowing what your system needs...

Last edited by 5hridhyan (2026-05-09 10:37:55)

mgeins · Yesterday 07:08:47

thank you 5hridhyan here is a working solution with your help:

# all modules
fd -e zst -tf . /lib/modules/$(uname -r) \
| xargs -n1 basename \
| sed 's/\.ko\.zst$//' | sort > all-modules

# all current loaded modules
lsmod | sed '1d; s/ .*//' | sort > all-current-loaded-modules  

# remove current loaded modules in all-modules and create the denied /etc/modprobe.d/conf
grep -vxF -f all-current-loaded-modules all-modules | sort | sed 's/^/install /' | sed 's/$/ \/bin\/false/' > denied-all-current-unloaded-modules.conf

# place denied-all-current-unloaded-modules.conf into /etc/modprobe.conf

But there are problems the list of all modules seems not correct.

[root@archlinux ~]# modprobe vfr
modprobe: FATAL: Module vfr not found in directory /lib/modules/7.0.5-arch1-1
[root@archlinux ~]# modprobe visor
modprobe: ERROR: Error running install command '/bin/false' for module visor: retcode 1
modprobe: ERROR: could not insert 'visor': Invalid argument

Two modules are just example i pick them randomly.
The second module "visor" works recode 1.
But the first module doesn't even exist.
So the list of all modules contain stuff that not count as module name.

5hridhyan · Yesterday 07:57:06

hmm, try w/

find /lib/modules/$(uname -r) -type f -name '*.ko*' -print0 \
| xargs -0 modinfo -F name 2>/dev/null \
| sed 's/-/_/g' | sort -u > all_real_modules.txt

get current modules

lsmod | awk 'NR>1 {print $1}' \
| sed 's/-/_/g' | sort -u > currently_l0aded.txt

and

comm -23 all_real_m0dules.txt currently_l0aded.txt \
| while IFS= read -r mod; do
    echo "install $mod /bin/false"
done | sudo tee /etc/modprobe.d/me0w.conf > /dev/null

Edit:
if I were you, instead of these all, I'd just run: echo 1 | sudo tee /proc/sys/kernel/modules_disabled or make service which runs it,

Edit2:

latest CVEs are all dependent on loading unused modules

well I believe it's not generally true, some kernel CVEs require module loading, some affect built-ins, some require CAP_SYS_MODULE, some are reachable via namespaces, ioctls, BPF, filesystems, networking stacks, etc.
reducing available modules can reduce attack surface, but it’s not some universal mitigation...

Last edited by 5hridhyan (Yesterday 08:57:55)

Arch Linux

#1 2026-05-09 09:39:00

Linux denied all kernel modules which not loaded right now

#2 2026-05-09 09:45:13

Re: Linux denied all kernel modules which not loaded right now

#3 2026-05-09 10:28:42

Re: Linux denied all kernel modules which not loaded right now

#4 2026-05-09 10:37:20

Re: Linux denied all kernel modules which not loaded right now

#5 Yesterday 07:08:47

Re: Linux denied all kernel modules which not loaded right now

#6 Yesterday 07:57:06

Re: Linux denied all kernel modules which not loaded right now

Board footer