[PATCH v3] Add kernel parameter to blacklist modules

[PATCH v3] Add kernel parameter to blacklist modules

[Prarit Bhargava]

Blacklisting a module in linux has long been a problem.  The current
procedure is to use rd.blacklist=module_name, however, that doesn't
cover the case after the initramfs and before a boot prompt (where one
is supposed to use /etc/modprobe.d/blacklist.conf to blacklist
runtime loading). Using rd.shell to get an early prompt is hit-or-miss,
and doesn't cover all situations AFAICT.

This patch adds this functionality of permanently blacklisting a module
by its name via the kernel parameter module_blacklist=module_name.

[v2]: Rusty, use core_param() instead of __setup() which simplifies
things.

[v3]: Rusty, undo wreckage from strsep()

Signed-off-by: Prarit Bhargava <prarit@redhat.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Rusty Russell <rusty@rustcorp.com.au>
Cc: linux-doc@vger.kernel.org
---
 Documentation/kernel-parameters.txt |    3 +++
 kernel/module.c                     |   29 +++++++++++++++++++++++++++++
 2 files changed, 32 insertions(+)

diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
index 82b42c958d1c..c720b96f2efc 100644
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -2295,6 +2295,9 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
 			Note that if CONFIG_MODULE_SIG_FORCE is set, that
 			is always true, so this option does nothing.
 
+	module_blacklist=  [KNL] Do not load a comma-separated list of
+			modules.  Useful for debugging problem modules.
+
 	mousedev.tap_time=
 			[MOUSE] Maximum time between finger touching and
 			leaving touchpad surface for touch to be considered
diff --git a/kernel/module.c b/kernel/module.c
index 5f71aa63ed2a..5240da88af79 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -3155,6 +3155,32 @@ int __weak module_frob_arch_sections(Elf_Ehdr *hdr,
 	return 0;
 }
 
+/* module_blacklist is a comma-separated list of module names */
+static char *module_blacklist;
+static bool blacklisted(char *module_name)
+{
+	char *str, *entry;
+
+	if (!module_blacklist)
+		return false;
+
+	str = module_blacklist;
+	do {
+		if (str != module_blacklist)
+			module_blacklist[strlen(str) - 1] = ',';
+		entry = strsep(&str, ",");
+		if (!strcmp(module_name, entry)) {
+			pr_info("module %s is blacklisted\n", module_name);
+			if (str != module_blacklist)
+				module_blacklist[strlen(str) - 1] = ',';
+			return true;
+		}
+	} while (str);
+
+	return false;
+}
+core_param(module_blacklist, module_blacklist, charp, 0400);
+
 static struct module *layout_and_allocate(struct load_info *info, int flags)
 {
 	/* Module within temporary copy. */
@@ -3165,6 +3191,9 @@ static struct module *layout_and_allocate(struct load_info *info, int flags)
 	if (IS_ERR(mod))
 		return mod;
 
+	if (blacklisted(mod->name))
+		return ERR_PTR(-EPERM);
+
 	err = check_modinfo(mod, info, flags);
 	if (err)
 		return ERR_PTR(err);
-- 
1.7.9.3

[PATCH v3] Add kernel parameter to blacklist modules

[Prarit Bhargava]

Rusty?  Didn't see anything from you on this ... resending.

P.


----8<----

Blacklisting a module in linux has long been a problem.  The current
procedure is to use rd.blacklist=module_name, however, that doesn't
cover the case after the initramfs and before a boot prompt (where one
is supposed to use /etc/modprobe.d/blacklist.conf to blacklist
runtime loading). Using rd.shell to get an early prompt is hit-or-miss,
and doesn't cover all situations AFAICT.

This patch adds this functionality of permanently blacklisting a module
by its name via the kernel parameter module_blacklist=module_name.

[v2]: Rusty, use core_param() instead of __setup() which simplifies
things.

[v3]: Rusty, undo wreckage from strsep()

Signed-off-by: Prarit Bhargava <prarit@redhat.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Rusty Russell <rusty@rustcorp.com.au>
Cc: linux-doc@vger.kernel.org
---
 Documentation/kernel-parameters.txt |    3 +++
 kernel/module.c                     |   29 +++++++++++++++++++++++++++++
 2 files changed, 32 insertions(+)

diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
index 82b42c958d1c..c720b96f2efc 100644
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -2295,6 +2295,9 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
 			Note that if CONFIG_MODULE_SIG_FORCE is set, that
 			is always true, so this option does nothing.
 
+	module_blacklist=  [KNL] Do not load a comma-separated list of
+			modules.  Useful for debugging problem modules.
+
 	mousedev.tap_time=
 			[MOUSE] Maximum time between finger touching and
 			leaving touchpad surface for touch to be considered
diff --git a/kernel/module.c b/kernel/module.c
index 5f71aa63ed2a..5240da88af79 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -3155,6 +3155,32 @@ int __weak module_frob_arch_sections(Elf_Ehdr *hdr,
 	return 0;
 }
 
+/* module_blacklist is a comma-separated list of module names */
+static char *module_blacklist;
+static bool blacklisted(char *module_name)
+{
+	char *str, *entry;
+
+	if (!module_blacklist)
+		return false;
+
+	str = module_blacklist;
+	do {
+		if (str != module_blacklist)
+			module_blacklist[strlen(str) - 1] = ',';
+		entry = strsep(&str, ",");
+		if (!strcmp(module_name, entry)) {
+			pr_info("module %s is blacklisted\n", module_name);
+			if (str != module_blacklist)
+				module_blacklist[strlen(str) - 1] = ',';
+			return true;
+		}
+	} while (str);
+
+	return false;
+}
+core_param(module_blacklist, module_blacklist, charp, 0400);
+
 static struct module *layout_and_allocate(struct load_info *info, int flags)
 {
 	/* Module within temporary copy. */
@@ -3165,6 +3191,9 @@ static struct module *layout_and_allocate(struct load_info *info, int flags)
 	if (IS_ERR(mod))
 		return mod;
 
+	if (blacklisted(mod->name))
+		return ERR_PTR(-EPERM);
+
 	err = check_modinfo(mod, info, flags);
 	if (err)
 		return ERR_PTR(err);
-- 
1.7.9.3

Re: [PATCH v3] Add kernel parameter to blacklist modules

[Rusty Russell]

Prarit Bhargava <prarit@redhat.com> writes:
> Blacklisting a module in linux has long been a problem.  The current
> procedure is to use rd.blacklist=module_name, however, that doesn't
> cover the case after the initramfs and before a boot prompt (where one
> is supposed to use /etc/modprobe.d/blacklist.conf to blacklist
> runtime loading). Using rd.shell to get an early prompt is hit-or-miss,
> and doesn't cover all situations AFAICT.
>
> This patch adds this functionality of permanently blacklisting a module
> by its name via the kernel parameter module_blacklist=module_name.
>
> [v2]: Rusty, use core_param() instead of __setup() which simplifies
> things.
>
> [v3]: Rusty, undo wreckage from strsep()

There's no locking here, meaning that something can easily slip through
the blacklist.

This time for sure! (UNTESTED!)

static bool blacklisted(char *module_name)
{
	const char *p;
        size_t len;

	if (!module_blacklist)
		return false;

        for (p = module_blacklist; *p; p += len) {
                len = strcspn(p, ",");
                if (strlen(module_name) == len && !memcmp(module_name, p, len))
                        return true;
                if (p[len] == ',')
                        len++;
        }
        return false;
}

Thanks,
Rusty.

>
> Signed-off-by: Prarit Bhargava <prarit@redhat.com>
> Cc: Jonathan Corbet <corbet@lwn.net>
> Cc: Rusty Russell <rusty@rustcorp.com.au>
> Cc: linux-doc@vger.kernel.org
> ---
>  Documentation/kernel-parameters.txt |    3 +++
>  kernel/module.c                     |   29 +++++++++++++++++++++++++++++
>  2 files changed, 32 insertions(+)
>
> diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
> index 82b42c958d1c..c720b96f2efc 100644
> --- a/Documentation/kernel-parameters.txt
> +++ b/Documentation/kernel-parameters.txt
> @@ -2295,6 +2295,9 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
>  			Note that if CONFIG_MODULE_SIG_FORCE is set, that
>  			is always true, so this option does nothing.
>  
> +	module_blacklist=  [KNL] Do not load a comma-separated list of
> +			modules.  Useful for debugging problem modules.
> +
>  	mousedev.tap_time=
>  			[MOUSE] Maximum time between finger touching and
>  			leaving touchpad surface for touch to be considered
> diff --git a/kernel/module.c b/kernel/module.c
> index 5f71aa63ed2a..5240da88af79 100644
> --- a/kernel/module.c
> +++ b/kernel/module.c
> @@ -3155,6 +3155,32 @@ int __weak module_frob_arch_sections(Elf_Ehdr *hdr,
>  	return 0;
>  }
>  
> +/* module_blacklist is a comma-separated list of module names */
> +static char *module_blacklist;
> +static bool blacklisted(char *module_name)
> +{
> +	char *str, *entry;
> +
> +	if (!module_blacklist)
> +		return false;
> +
> +	str = module_blacklist;
> +	do {
> +		if (str != module_blacklist)
> +			module_blacklist[strlen(str) - 1] = ',';
> +		entry = strsep(&str, ",");
> +		if (!strcmp(module_name, entry)) {
> +			pr_info("module %s is blacklisted\n", module_name);
> +			if (str != module_blacklist)
> +				module_blacklist[strlen(str) - 1] = ',';
> +			return true;
> +		}
> +	} while (str);
> +
> +	return false;
> +}
> +core_param(module_blacklist, module_blacklist, charp, 0400);
> +
>  static struct module *layout_and_allocate(struct load_info *info, int flags)
>  {
>  	/* Module within temporary copy. */
> @@ -3165,6 +3191,9 @@ static struct module *layout_and_allocate(struct load_info *info, int flags)
>  	if (IS_ERR(mod))
>  		return mod;
>  
> +	if (blacklisted(mod->name))
> +		return ERR_PTR(-EPERM);
> +
>  	err = check_modinfo(mod, info, flags);
>  	if (err)
>  		return ERR_PTR(err);
> -- 
> 1.7.9.3

[PATCH v5] Add kernel parameter to blacklist modules

[Prarit Bhargava]

Rusty, this looks like it will work.  I tested this by adding

	module_blacklist=acpi_cpufreq,dummy_module

as a kernel parameter, and verified that acpi_cpufreq was not loaded
during the initrd and systemd phases of the boot.  I then tried to
manually load a simple module called dummy_module.ko which fails with

[root@dell-per330-01 ~]# insmod dummy-module.ko
insmod: ERROR: could not insert module dummy-module.ko: Operation not
permitted

P.

---8<----

Blacklisting a module in linux has long been a problem.  The current
procedure is to use rd.blacklist=module_name, however, that doesn't
cover the case after the initramfs and before a boot prompt (where one
is supposed to use /etc/modprobe.d/blacklist.conf to blacklist
runtime loading). Using rd.shell to get an early prompt is hit-or-miss,
and doesn't cover all situations AFAICT.

This patch adds this functionality of permanently blacklisting a module
by its name via the kernel parameter module_blacklist=module_name.

[v2]: Rusty, use core_param() instead of __setup() which simplifies
things.

[v3]: Rusty, undo wreckage from strsep()

[v4]: Rusty, simpler version of blacklisted()

Signed-off-by: Prarit Bhargava <prarit@redhat.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Rusty Russell <rusty@rustcorp.com.au>
Cc: linux-doc@vger.kernel.org
---
 Documentation/kernel-parameters.txt |    3 +++
 kernel/module.c                     |   24 ++++++++++++++++++++++++
 2 files changed, 27 insertions(+)

diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
index 82b42c958d1c..c720b96f2efc 100644
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -2295,6 +2295,9 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
 			Note that if CONFIG_MODULE_SIG_FORCE is set, that
 			is always true, so this option does nothing.
 
+	module_blacklist=  [KNL] Do not load a comma-separated list of
+			modules.  Useful for debugging problem modules.
+
 	mousedev.tap_time=
 			[MOUSE] Maximum time between finger touching and
 			leaving touchpad surface for touch to be considered
diff --git a/kernel/module.c b/kernel/module.c
index 5f71aa63ed2a..33b85824d30b 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -3155,6 +3155,27 @@ int __weak module_frob_arch_sections(Elf_Ehdr *hdr,
 	return 0;
 }
 
+/* module_blacklist is a comma-separated list of module names */
+static char *module_blacklist;
+static bool blacklisted(char *module_name)
+{
+	const char *p;
+	size_t len;
+
+	if (!module_blacklist)
+		return false;
+
+	for (p = module_blacklist; *p; p += len) {
+		len = strcspn(p, ",");
+		if (strlen(module_name) == len && !memcmp(module_name, p, len))
+			return true;
+		if (p[len] == ',')
+			len++;
+	}
+	return false;
+}
+core_param(module_blacklist, module_blacklist, charp, 0400);
+
 static struct module *layout_and_allocate(struct load_info *info, int flags)
 {
 	/* Module within temporary copy. */
@@ -3165,6 +3186,9 @@ static struct module *layout_and_allocate(struct load_info *info, int flags)
 	if (IS_ERR(mod))
 		return mod;
 
+	if (blacklisted(mod->name))
+		return ERR_PTR(-EPERM);
+
 	err = check_modinfo(mod, info, flags);
 	if (err)
 		return ERR_PTR(err);
-- 
1.7.9.3

Re: [PATCH v5] Add kernel parameter to blacklist modules

[Rusty Russell]

Prarit Bhargava <prarit@redhat.com> writes:
> Rusty, this looks like it will work.  I tested this by adding

Applied.

Hey, we got there in the end!

Thanks for your patience,
Rusty.