Blacklisting modules on Linux

Blacklisting modules prevents them from being loaded and used, and it is sometimes an important step in keeping a system running properly.

Blacklisting modules on Linux
Elvert Barnes (CC BY-SA 2.0)

The Linux kernel is modular — composed of modules that work together but are largely independent of each other. New functionality can be added when a kernel module is loaded, but there are times when you might need to block functionality because modules interfere with each other or leave a system vulnerable. When that is the case, you can restrict what modules the kernel is able to use by blacklisting the troublemakers. This blocks them from being loaded.

Listing Kernel modules

You can list kernel modules with the lsmod command. For a taste of what you’re likely to see, the lsmod command below shows us the top of the lsmod command output on a sample system.

$ lsmod | head -20
Module                  Size  Used by
nf_log_ipv6            16384  5
xt_hl                  16384  22
ip6t_rt                16384  3
ipt_REJECT             16384  1
nf_reject_ipv4         16384  1 ipt_REJECT
nf_log_ipv4            16384  5
nf_log_common          16384  2 nf_log_ipv6,nf_log_ipv4
xt_LOG                 16384  10
xt_limit               16384  13
xt_tcpudp              16384  20
xt_addrtype            16384  4
nf_conntrack_netbios_ns    16384  0
nf_conntrack_broadcast    16384  1 nf_conntrack_netbios_ns
nf_nat_ftp             16384  0
nf_nat                 28672  1 nf_nat_ftp
nf_conntrack_ftp       20480  1 nf_nat_ftp
nf_conntrack_ipv6      20480  8
nf_defrag_ipv6         36864  1 nf_conntrack_ipv6
ip6table_filter        16384  1

The first column displays each of the module names.

The “Used by” column indicates how many instances of the module are currently in use and sometimes what processes are using them.

The “Size” column purports to be the size of the module but is not really correct. You might note in the example above how many of the listed modules appear to be 16,384 bytes long — a value equal to "16KiB". But you can track down the actual sizes using a command like this, and note that the sizes vary quite a bit.

$ lsmod | grep 16384 | cut -f1 -d ' ' |\
 xargs modinfo | grep filename | grep -o '/.*' |\
 xargs stat -c "%s - %n" | head -7
16214 - /lib/modules/4.13.0-39-generic/kernel/net/ipv6/netfilter/nf_log_ipv6.ko
5830 - /lib/modules/4.13.0-39-generic/kernel/net/netfilter/xt_hl.ko
17902 - /lib/modules/4.13.0-39-generic/kernel/net/ipv6/netfilter/ip6t_rt.ko
6974 - /lib/modules/4.13.0-39-generic/kernel/net/ipv4/netfilter/ipt_REJECT.ko
7726 - /lib/modules/4.13.0-39-generic/kernel/net/ipv4/netfilter/nf_reject_ipv4.ko
12446 - /lib/modules/4.13.0-39-generic/kernel/net/ipv4/netfilter/nf_log_ipv4.ko
10046 - /lib/modules/4.13.0-39-generic/kernel/net/netfilter/nf_log_common.ko

To get an idea how many modules are in use at any particular time, you can run a command like this:

$ lsmod | wc -l
84

If you'd like more information about any of the modules listed, you can ask for it with the modinfo command.

$ modinfo psmouse
filename:       /lib/modules/4.13.0-39-generic/kernel/drivers/input/mouse/psmouse.ko
license:        GPL
description:    PS/2 mouse driver
author:         Vojtech Pavlik <vojtech@suse.cz>
srcversion:     3AECF712F9899761F63DFB2
alias:          serio:ty05pr*id*ex*
alias:          serio:ty01pr*id*ex*
depends:
intree:         Y
name:           psmouse
vermagic:       4.13.0-39-generic SMP mod_unload
signat:         PKCS#7
signer:
sig_key:
sig_hashalgo:   md4
parm:           synaptics_intertouch:Use a secondary bus for the Synaptics device. (int)
parm:           proto:Highest protocol extension to probe (bare, imps, exps, any). Useful for KVM switches. (proto_abbrev)
parm:           resolution:Resolution, in dpi. (uint)
parm:           rate:Report rate, in reports per second. (uint)
parm:           smartscroll:Logitech Smartscroll autorepeat, 1 = enabled (default), 0 = disabled. (bool)
parm:           resetafter:Reset device after so many bad packets (0 = never). (uint)
parm:           resync_time:How long can mouse stay idle before forcing resync (in seconds, 0 = never). (uint)

How to blacklist a module

To blacklist a kernel module, edit the /etc/modprobe.d/blacklist.conf file and add a line that says "blacklist <module-name>". Here's an example that you might find in your current blacklist.conf file.

# replaced by tulip
blacklist de4x5

It's a good idea to preface the "blacklist" line with a comment that explains why you're blacklisting the module. Many of those already blocked will have been blocked because newer, better replacements have come along.

Removing a module from the kernel

You can remove a module from the running kernel with the sudo modprobe -r <module_name> command. You will get a warning if it's being used and the module will not be unloaded.

$ sudo modprobe -r video
[sudo] password for shs:
modprobe: FATAL: Module video is in use.

Removing a module with modprobe is temporary. The module will be loaded again when the system reboots or when you reload it with the modprobe <module_name> command.

2-Minute Linux Tip: Learn how to use the logsave command

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:
Now read: Getting grounded in IoT