From 597651c526fca39677a2c1288c5d8f2df55614b1 Mon Sep 17 00:00:00 2001 From: RageLtMan Date: Fri, 8 May 2026 10:50:07 -0400 Subject: [PATCH 1/2] Blacklist modules via ansible --- blacklist_mods.yml | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 blacklist_mods.yml diff --git a/blacklist_mods.yml b/blacklist_mods.yml new file mode 100644 index 0000000..a1a12d1 --- /dev/null +++ b/blacklist_mods.yml @@ -0,0 +1,37 @@ +- name: Blacklist kernel modules + hosts: all + become: yes + gather_facts: no + + vars: + modules_to_blacklist: + # DirtyFrag + - esp4 + - esp6 + - rxrpc + + tasks: + - name: Ensure blacklist directory exists + file: + path: /etc/modprobe.d + state: directory + mode: '0755' + + - name: Check if module is currently loaded + shell: "lsmod | grep -qw '{{ item }}'" + loop: "{{ modules_to_blacklist }}" + register: lsmod_check + changed_when: false + # If rc is 0, the module is loaded -> Fail the task + failed_when: lsmod_check.rc == 0 + + - name: Blacklist kernel modules + # Only executes if the previous task succeeded (meaning module was NOT loaded) + lineinfile: + path: /etc/modprobe.d/blacklist.conf + line: "blacklist {{ item }}" + create: yes + mode: '0644' + state: present + loop: "{{ modules_to_blacklist }}" + From 984f04e7398e8dc67780fd2c3e001427edd748fa Mon Sep 17 00:00:00 2001 From: RageLtMan Date: Fri, 8 May 2026 13:31:17 -0400 Subject: [PATCH 2/2] Force /bin/false return on dependent or forced load attempts --- blacklist_mods.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/blacklist_mods.yml b/blacklist_mods.yml index a1a12d1..5e34c5c 100644 --- a/blacklist_mods.yml +++ b/blacklist_mods.yml @@ -35,3 +35,11 @@ state: present loop: "{{ modules_to_blacklist }}" + - name: Force /bin/false return on attempts to load kernel modules + lineinfile: + path: /etc/modprobe.d/blacklist.conf + line: "install {{ item }} /bin/false" + create: yes + mode: '0644' + state: present + loop: "{{ modules_to_blacklist }}"