Open souchikjoardar201 opened 2 months ago
Hello,
Thanks for the suggestion and sorry for the delay in response.
I think this is great idea in terms of improving defence-in-depth, even though as you say it is probably unnecessary.
There are two areas to discuss:
Blacklisting (blacklist
) prevents them from loading automatically. Disabling prevents them from being loaded using something along the lines of install gps /usr/bin/disabled-gps-by-security-misc
.
I would personally suggest disabling them as I can not currently see a scenario where any user requires any of the modules.
A more complete list would be include gnss-usb
and gnss-mtk
as shown below:
gnss
gnss-serial
gnss-sirf
gnss-ubx
gnss-usb
gnss-mtk
Let me know what you think.
Disabling prevents them from being loaded using something along the lines of install gps /usr/bin/disabled-gps-by-security-misc
Yeah that seems good and kinda what I was getting at. I got confused with the difference between blacklisting and disabling.
I can not currently see a scenario where any user requires any of the modules.
I can only see this for something like relating to radio like LoRa or something along those lines but i'm not even sure as i have never used so I'm not sure what modules are used for those use cases?
Blacklist other GPS modules like GNSS (Global Navigation Satellite System)
garmin_gps
is another gps driver but that is already blacklisted in 30_security-misc.confhttps://github.com/Kicksecure/security-misc/blob/a9886a3119f9b662b15fc26d28a7fedf316b72c4/etc/modprobe.d/30_security-misc.conf#L107
This might be unnecessary but to be "just to be safe" type of thing in the case a malicious actor trys to load them or etc.
I dont know of any other GPS modules that are included? But this might be something to look into further.