이 콘텐츠는 선택한 언어로 제공되지 않습니다.
31.5. Blacklisting a Module
Sometimes, for various performance or security reasons, it is necessary to prevent the system from using a certain kernel module. This can be achieved by module blacklisting, which is a mechanism used by the modprobe utility to ensure that the kernel cannot automatically load certain modules, or that the modules cannot be loaded at all. This is useful in certain situations, such as when using a certain module poses a security risk to your system, or when the module controls the same hardware or service as another module, and loading both modules would cause the system, or its component, to become unstable or non-operational.
To blacklist a module, you have to add the following line to the specified configuration file in the
/etc/modprobe.d/
directory as root:
blacklist <module_name>
where <module_name> is the name of the module being blacklisted.
You can modify the
/etc/modprobe.d/blacklist.conf
file that already exists on the system by default. However, the preferred method is to create a separate configuration file, /etc/modprobe.d/<module_name>.conf
, that will contain settings specific only to the given kernel module.
Example 31.4. An example of /etc/modprobe.d/blacklist.conf
# # Listing a module here prevents the hotplug scripts from loading it. # Usually that'd be so that some other driver will bind it instead, # no matter which driver happens to get probed first. Sometimes user # mode tools can also control driver binding. # # Syntax: see modprobe.conf(5). # # watchdog drivers blacklist i8xx_tco # framebuffer drivers blacklist aty128fb blacklist atyfb blacklist radeonfb blacklist i810fb blacklist cirrusfb blacklist intelfb blacklist kyrofb blacklist i2c-matroxfb blacklist hgafb blacklist nvidiafb blacklist rivafb blacklist savagefb blacklist sstfb blacklist neofb blacklist tridentfb blacklist tdfxfb blacklist virgefb blacklist vga16fb blacklist viafb # ISDN - see bugs 154799, 159068 blacklist hisax blacklist hisax_fcpcipnp # sound drivers blacklist snd-pcsp # I/O dynamic configuration support for s390x (bz #563228) blacklist chsc_sch
The
blacklist <module_name>
command, however, does not prevent the module from being loaded manually, or from being loaded as a dependency for another kernel module that is not blacklisted. To ensure that a module cannot be loaded on the system at all, modify the specified configuration file in the /etc/modprobe.d/
directory as root with the following line:
install <module_name> /bin/true
where <module_name> is the name of the blacklisted module.
Example 31.5. Using module blacklisting as a temporary problem solution
Let's say that a flaw in the Linux kernel's PPP over L2TP module (
pppol2pt
) has been found, and this flaw could be misused to compromise your system. If your system does not require the pppol2pt
module to function, you can follow this procedure to blacklist pppol2pt
completely until this problem is fixed:
- Verify whether
pppol2pt
is currently loaded in the kernel by running the following command:~]#
lsmod | grep ^pppol2tp && echo "The module is loaded" || echo "The module is not loaded"
- If the module is loaded, you need to unload it and all its dependencies to prevent its possible misuse. See Section 31.4, “Unloading a Module” for instructions on how to safely unload it.
- Run the following command to ensure that
pppol2pt
cannot be loaded to the kernel:~]#
echo "install pppol2tp /bin/true" > /etc/modprobe.d/pppol2tp.conf
Note that this command overwrites the content of the/etc/modprobe.d/pppol2tp.conf
file if it already exists on your system. Check and back up your existingpppol2tp.conf
before running this command. Also, if you were unable to unload the module, you have to reboot the system for this command to take effect.
After the problem with the
pppol2pt
module has been properly fixed, you can delete the /etc/modprobe.d/pppol2tp.conf
file or restore its previous content, which will allow your system to load the pppol2pt
module with its original configuration.
Important
Before blacklisting a kernel module, always ensure that the module is not vital for your current system configuration to function properly. Improper blacklisting of a key kernel module can result in an unstable or non-operational system.