security-misc icon indicating copy to clipboard operation
security-misc copied to clipboard

Published 20 hours ago verified publisher icon Kicksecure

Blacklist other GPS modules like GNSS

Open souchikjoardar201 opened this issue 10 months ago • 2 comments

Blacklist other GPS modules like GNSS (Global Navigation Satellite System)

garmin_gps is another gps driver but that is already blacklisted in 30_security-misc.conf

https://github.com/Kicksecure/security-misc/blob/a9886a3119f9b662b15fc26d28a7fedf316b72c4/etc/modprobe.d/30_security-misc.conf#L107

ls /lib/modules/`uname -r`/kernel/drivers/gnss | sed "s/\.ko//"

blacklist gnss
blacklist gnss-serial
blacklist gnss-sirf
blacklist gnss-ubx

This might be unnecessary but to be "just to be safe" type of thing in the case a malicious actor trys to load them or etc.

I dont know of any other GPS modules that are included? But this might be something to look into further.

souchikjoardar201 avatar Apr 12 '24 21:04 souchikjoardar201

Hello,

Thanks for the suggestion and sorry for the delay in response.

I think this is great idea in terms of improving defence-in-depth, even though as you say it is probably unnecessary.

There are two areas to discuss:

  1. Should we just blacklist or outright disable the modules?

Blacklisting (blacklist) prevents them from loading automatically. Disabling prevents them from being loaded using something along the lines of install gps /usr/bin/disabled-gps-by-security-misc.

I would personally suggest disabling them as I can not currently see a scenario where any user requires any of the modules.

  1. Should the scope of module blocking only encompass the modules you listed or should we expand it to include those that will likely be in future LTS kernels?

A more complete list would be include gnss-usb and gnss-mtk as shown below:

gnss
gnss-serial
gnss-sirf
gnss-ubx
gnss-usb
gnss-mtk

Let me know what you think.

raja-grewal avatar May 01 '24 02:05 raja-grewal