On 7/21/14, intrigeri <[email protected]> wrote: > Hi, > > (Created https://labs.riseup.net/code/issues/7639 to track this all.) >
Thanks! > Jacob Appelbaum wrote (21 Jul 2014 19:54:57 GMT) : >> On 7/21/14, intrigeri <[email protected]> wrote: >>> However, removing modules altogether is no more work than blacklisting >>> them: we can do it either via chroot_local-hooks (and then, regenerate >>> the initrd's), or with the exclude file passed to mksquashfs (but in >>> this case, if any of the blacklisted module is in the initrd's, then >>> we're not really removing it; so likely a hook is better). >>> > >> Is that true? Isn't blacklisting them as simple as adding a few lines >> to /etc/modprobe.d/blacklist.conf? > > Right. Which is not much easier than maintaining a text file with > a list of module names, and writing a ~10-lines build-time hook that > runs find -delete on these names, and then runs update-initramfs. > If we prefer to remove modules entirely, I can do that. Sounds reasonable. > > In any case, I think the (one-time) cost of implementing this > mechanism will be totally neglictible, compared to the energy needed > to create and maintain the blacklist. I think we should consider using the Ubuntu list of modules as a starting point. > >> I think there are some modules we will never want (eg: appletalk) and >> some people may oneday force load (ax25) for their HAM radio >> emergencies. > > Good point. Then, we might want to keep some modules blacklisted, even > when we move from blacklisting to removing. So, we need two lists. > Sure, we may need two lists in the long run. >> Is the right place to put things in /etc/modprobe.d/blacklist.conf >> as I think? > > I think we'll want to use a less generic name, such as > tails-blacklist.conf. > The reason I suggested blacklist.conf is that it already exists. If you want to create a different file, it certainly won't make sense to send it directly to Debian; won't it remain a Tails delta? >> This would be my first addition to that file: > > I've just created https://tails.boum.org/blueprint/blacklist_modules/, > and added your list to it. Please add a rationale for each module > there (why it's useless and/or dangerous), as we won't just add > modules to the blacklist because someone pretending to be Jake on > a mailing-list said so :) > Ok. > Also, for anyone interested in working on this blacklist, Ubuntu and > Fedora have had some for years: > > * > https://fedoraproject.org/wiki/Security_Features_Matrix#Blacklist_Rare_Protocols > * https://wiki.ubuntu.com/Security/Features#blacklist-rare-net > Shall we take those two as the base sets to list? > These are well tested, and would be a good basis. Likely we'll want to > go further in Tails, but at least *this* should really be ported to > Debian, and not carried as a Tails delta. How would Debian want such a patch? It seems unlikely that tails-blacklist.conf will be taken upstream by the name alone... All the best, Jacob _______________________________________________ Tails-dev mailing list [email protected] https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to [email protected].
