Blacklist other GPS modules like GNSS

Kicksecure / security-misc

Kernel Hardening; Protect Linux User Accounts against Brute Force Attacks; Improve Entropy Collection; Strong Linux User Account Separation; Enhances Misc Security Settings - https://www.kicksecure.com/wiki/Security-misc

https://www.kicksecure.com/wiki/Impressum

Other

479 stars 52 forks source link

Blacklist other GPS modules like GNSS #217

Open souchikjoardar201 opened 2 months ago

souchikjoardar201 commented 2 months ago

Blacklist other GPS modules like GNSS (Global Navigation Satellite System)

garmin_gps is another gps driver but that is already blacklisted in 30_security-misc.conf

https://github.com/Kicksecure/security-misc/blob/a9886a3119f9b662b15fc26d28a7fedf316b72c4/etc/modprobe.d/30_security-misc.conf#L107

ls /lib/modules/`uname -r`/kernel/drivers/gnss | sed "s/\.ko//"

blacklist gnss
blacklist gnss-serial
blacklist gnss-sirf
blacklist gnss-ubx

This might be unnecessary but to be "just to be safe" type of thing in the case a malicious actor trys to load them or etc.

I dont know of any other GPS modules that are included? But this might be something to look into further.

raja-grewal commented 2 months ago

Hello,

Thanks for the suggestion and sorry for the delay in response.

I think this is great idea in terms of improving defence-in-depth, even though as you say it is probably unnecessary.

There are two areas to discuss:

Should we just blacklist or outright disable the modules?

Blacklisting (blacklist) prevents them from loading automatically. Disabling prevents them from being loaded using something along the lines of install gps /usr/bin/disabled-gps-by-security-misc.

I would personally suggest disabling them as I can not currently see a scenario where any user requires any of the modules.

Should the scope of module blocking only encompass the modules you listed or should we expand it to include those that will likely be in future LTS kernels?

A more complete list would be include gnss-usb and gnss-mtk as shown below:

gnss
gnss-serial
gnss-sirf
gnss-ubx
gnss-usb
gnss-mtk

Let me know what you think.

souchikjoardar201 commented 1 month ago

Disabling prevents them from being loaded using something along the lines of install gps /usr/bin/disabled-gps-by-security-misc

Yeah that seems good and kinda what I was getting at. I got confused with the difference between blacklisting and disabling.

I can not currently see a scenario where any user requires any of the modules.

I can only see this for something like relating to radio like LoRa or something along those lines but i'm not even sure as i have never used so I'm not sure what modules are used for those use cases?