Remix clone Hacker News

new | show | ask | jobs Github

	▲	Bender a day ago
		modprobe by name still works, even if the module is blacklisted, and so does insmod and the syscalls they use. Agreed. There is a way but I would never recommend it to anyone. Showing just for completeness sake in the event anyone else suggests it but do not do this and certainly never put it in a config file or "bad things will happen ©2009-2026". `# rmmod the module of concern first, then if that exits with the correct exit code: sysctl -w kernel.modules_disabled = 1 sysctl -w kernel.kexec_load_disabled = 1` Once activated these settings will remain immutable until reboot. These settings can break OS updates among a myriad of other things. Calculating risk requires a dungeon leader, 4d20 dice and 12 magic 8-balls to form a quorum. Probably safer to just limit access based on role and then update the OS as soon as it is feasible to do so. Leave the role based access controls in place. If anyone complains add them to the on-call rotation.