Skip to content

feat: kmod_tracker has allow/deny list #665

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 8, 2025
Merged

feat: kmod_tracker has allow/deny list #665

merged 1 commit into from
Oct 8, 2025

Conversation

lockbox
Copy link
Contributor

@lockbox lockbox commented Oct 3, 2025
edited
Loading

this addresses #647 adding an allow / deny list. i added a denylist to allow for things like temporary masking etc of configs. not the most useful thing but its simple enough + has actually come in handy. feel free to tell me to nix it though.

i also added a "quiet" option which doesnt log to the console since some targets load hundreds of modules and it can get annoying trying to read output when driving manually

Closes #647

@lacraig2 lacraig2 requested a review from Copilot October 3, 2025 21:13
Copilot
Copilot AI reviewed Oct 3, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR enhances the kernel module tracker plugin with configurable allow/deny lists and optional quiet logging. The plugin now supports fine-grained control over which kernel modules can load, addressing the need for more flexible module filtering beyond the default block-all behavior.

  • Added allowlist/denylist configuration options for granular control over module loading
  • Implemented quiet mode to reduce logging verbosity for targets with many modules
  • Expanded comprehensive documentation with usage examples and configuration options

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@lacraig2
Copy link
Collaborator

lacraig2 commented Oct 5, 2025

I appreciate the PR! This looks good.

On the technical points:

  • Couple of good copilot thoughts above
  • This has a potential flaw in init_module where we can't actually determine the path for the ko. It's technically still an issue for our igloo.ko issue, but we'd appreciate thoughts.

@lacraig2
Copy link
Collaborator

lacraig2 commented Oct 5, 2025

Also! This is our first external contribution. Which is very exciting.

It also means that permissions have changed for our CI jobs so everything breaks for reasons that are not your fault.

I am going to use this PR as a test to fix our actions. I will merge them separately ahead of your PR once they work.

@lockbox
Copy link
Contributor Author

lockbox commented Oct 5, 2025

Cool 😎 thats exciting

@lacraig2 lacraig2 added run-tests DANGER: runs tests with secrets (must trust author) and removed run-tests DANGER: runs tests with secrets (must trust author) labels Oct 5, 2025
@lockbox
Copy link
Contributor Author

lockbox commented Oct 5, 2025

After the ci stuff is working lmk and ill rebase to address the comments. Off the cuff all my ideas are extremely hacky to handle init_module but I feel like this is solvable

@lacraig2 lacraig2 force-pushed the kmods-whitelist branch 3 times, most recently from c94ac56 to f407f9b Compare October 6, 2025 03:15
@lacraig2 lacraig2 force-pushed the kmods-whitelist branch 8 times, most recently from e07f763 to 1c12863 Compare October 6, 2025 17:39
@lacraig2 lacraig2 force-pushed the kmods-whitelist branch 2 times, most recently from cb66cb5 to c9eca26 Compare October 6, 2025 18:23
@lacraig2
Copy link
Collaborator

lacraig2 commented Oct 6, 2025

@lockbox should be set on the CI issues. Thanks!

@lockbox lockbox force-pushed the kmods-whitelist branch 2 times, most recently from 088eeee to 87fcae0 Compare October 7, 2025 13:28
@lacraig2
Copy link
Collaborator

lacraig2 commented Oct 7, 2025

FYSA: rebased this on main and ran tests

@lockbox
Copy link
Contributor Author

lockbox commented Oct 7, 2025

Save for the init_module comments this should be gtg, did you want to solve that here or "eventually?"

@lacraig2 lacraig2 merged commit 109d7ec into rehosting:main Oct 8, 2025
12 checks passed
@lacraig2
Copy link
Collaborator

lacraig2 commented Oct 8, 2025

I can live with eventually on that.

Merged. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

add a kernel module whitelist to the configuration

2 participants

@lockbox @lacraig2