Tags: jnuyens/modulejail
Tags
modulejail v1.4.1 Regression hotfix for the v1.4.0 desktop-profile SD card addition on bleeding-edge kernels. - `rpmb_core` added to `BASELINE_DESKTOP` ([#16](#16), @fonic). Between kernel 6.12 and 7.0 the RPMB (Replay Protected Memory Block) code was split out of `mmc_core` into its own module. On kernels with the split (Arch current, Fedora rawhide, openSUSE Tumbleweed, Cachy / Liquorix variants, anyone tracking mainline), `mmc_block` declares a hard `depends: mmc_core,rpmb-core` and fails to load with missing-symbol errors if `rpmb-core` is in the blacklist. v1.4.0's `mmc_core` + `mmc_block` desktop-profile addition therefore fixed SD card readers on stable LTS kernels (Debian 13.4 with 6.12, Rocky 9.7 with 5.14) but regressed them on 7.0+ kernels. v1.4.1 closes the gap: `rpmb_core` joins the desktop baseline, and the filename normalization the script already does for the underscore vs hyphen variance ("rpmb-core" vs "rpmb_core") covers every kernel build convention. On older kernels where the module doesn't exist separately, listing it is a harmless no-op. - @fonic ([#16](#16)) for the cross-kernel `modinfo mmc_block` diagnosis - this would have shipped silently broken on every Arch / Fedora-rawhide / Tumbleweed desktop install otherwise.
modulejail v1.4.0 Initramfs strip hook (#19), --self-update with WHITELIST splice (#20), mmc desktop additions (#16), whitelist owner check hardening, packaging integration across .deb/.rpm/AUR. Full CHANGELOG: https://github.com/jnuyens/modulejail/blob/v1.4.0/CHANGELOG.md
v1.3.6 - hotfix --verbose-logging tr range-endpoints error (#18) modprobe's libkmod config parser collapses \\ -> \ on install commands BEFORE the shell sees them. v1.3.5's bare \001-\010... became the digit string 001-010013-037177 which tr rejected with the '1-0' reverse-range error. Fix: double the backslashes in the install-line text. End-to-end verified on Ubuntu 24.04 + kmod 31. Per @retry-the-user in #18. Signed with RSA key 095F5C8B39AF010E7B615CD4487BC00D69C2A955 (ModuleJail Releases). See CHANGELOG.md for the full notes.
v1.3.5 - hotfix --verbose-logging install-line bugs (#18) Two bugs in v1.3.4's --verbose-logging caught by @retry-the-user within hours of v1.3.4 release: 1. /bin/sh -c '...' wrapper made $PPID point at the wrapper sh, not modprobe. Fix: drop the wrapper. 2. cat /proc/$PPID/cmdline + shell substitution stripped NULs, concatenating argv elements. Fix: pipe through tr '\\0' ' '. Defense-in-depth additions: 3. Strip control bytes from cmdline (tr -d) to harden against log injection (command injection was already not possible because shell substitution doesn't re-evaluate). 4. New MODULEJAIL_TR_PATH env var + runtime check: --verbose-logging now exits EX_NOINPUT if tr is absent, rather than generating broken install-lines. Default (non-verbose) install line unchanged. v1.1.4 byte-identical contract preserved. Signed with RSA key 095F5C8B39AF010E7B615CD4487BC00D69C2A955 (ModuleJail Releases). See CHANGELOG.md for the full notes.
v1.3.4 - --verbose-logging flag + DESKTOP additions + baseline-additi… …on policy New flag: - --verbose-logging - enrich per-blocked-load logger call with PPID, loginuid, parent comm, argv[0] (from /proc/$PPID/...). Requires /usr/bin/logger; mutually exclusive with --no-syslog-logging. Issue #18 from @retry-the-user. BASELINE_DESKTOP additions (laptops/workstations only): intel_pstate, intel_cstate, amd_pstate, tun, tap Issue #16 acceptance round 2 from @teou1. ntfs declined (CONFIG_NTFS_FS is backward-compat-only in 7.x; ntfs3 is the maintained driver and already in DESKTOP). New baseline-addition policy (documented in script + README Contributing): modules join a baseline only with observed operator pain in that profile's target audience. acpi_cpufreq in CONSERVATIVE (v1.3.2) retained for backward compatibility. No flag or CLI default behavior changes; v1.1.4 byte-identical install-line body preserved under default flags. Signed with RSA key 095F5C8B39AF010E7B615CD4487BC00D69C2A955 (ModuleJail Releases). See CHANGELOG.md for the full notes.
v1.5.0-beta.2 - systemd integration (beta, .deb + .rpm both shipping)
Same systemd-integration substance as v1.5.0-beta.1; two prerelease-
handling gaps in the packaging/test surfaces fixed.
Fixed:
- tests/lib/run-in-fixture.sh SemVer regex now accepts SemVer 2.0.0
prerelease suffixes (container fixtures had rejected beta.1).
- packaging/build.sh + packaging/rpm/modulejail.spec.in: RPM
Version/Release split per Fedora prerelease guidelines
(Version=X.Y.Z, Release=0.1.<pre>.<N>%{?dist}). beta.1 had no .rpm.
This beta ships .deb AND .rpm. Beta still: production operators
should stay on v1.3.3 until v1.5.0 final ships.
Signed with RSA key 095F5C8B39AF010E7B615CD4487BC00D69C2A955
(ModuleJail Releases).
See CHANGELOG.md for the full notes.
v1.5.0-beta.1 - systemd integration (beta) First beta of the v1.5 systemd integration milestone (PR #15 from @gbkersey). What ships: - systemd/modulejail.service - Type=oneshot, runs `modulejail -p conservative` once. After=multi-user.target + network-online.target + remote-fs.target. - systemd/modulejail.timer - OnBootSec=5min, Persistent=false. - .deb postinst + .rpm %post install the units to /usr/lib/systemd/ system/, run daemon-reload, print the enable instruction. Neither enables the timer; install is behavior-neutral. What is deliberately NOT changed: - No new package Depends. - No auto-enable. - curl|sh and AUR `modulejail` (stable) users see no change. Beta status: production operators should stay on v1.3.3 until v1.5.0 final ships. Signed with RSA key 095F5C8B39AF010E7B615CD4487BC00D69C2A955 (ModuleJail Releases). See CHANGELOG.md for the full notes.
v1.3.3 - Hotfix: v1.1.4-regression contract clarification v1.3.2 added inet_diag, tcp_diag, udp_diag to BASELINE_CONSERVATIVE per issue #16. The v1.1.4-regression fixture had those modules in its install-line reference, so CI went red on the v1.3.2 push despite modulejail itself being correct. This release: - Regenerates tests/fixtures/v1.1.4-regression/expected-blacklist.conf (6363 -> 6360 install lines) - Clarifies the v1.1.4 byte-identical contract in the test header: it covers install-line RENDERING, not which modules end up there - Otherwise ships identical modulejail logic to v1.3.2 Operators on v1.3.2 do not need to upgrade for any behavioral reason. Signed with RSA key 095F5C8B39AF010E7B615CD4487BC00D69C2A955 (ModuleJail Releases). See CHANGELOG.md for the full notes.
v1.3.2 - Baseline maturation (CONSERVATIVE + DESKTOP profile additions) Driven by issue #16 from @Dizirgee. CONSERVATIVE adds: inet_diag, tcp_diag, udp_diag, acpi_cpufreq, tls DESKTOP adds (on top of CONSERVATIVE): f2fs, ntfs3, isofs, cdrom, amd64_edac, i7core_edac, ie31200_edac No flag or CLI behavior changes; v1.1.4 byte-identical install-line body preserved (6363/6363 install lines). Signed with RSA key 095F5C8B39AF010E7B615CD4487BC00D69C2A955 (ModuleJail Releases). See CHANGELOG.md for the full list.
v1.3.1 - Documentation + small DESKTOP profile addition - exfat in BASELINE_DESKTOP (Windows flash drives) - PR #13 @tjmnmk - -f / --fail-on-module-load now documented in README + manpage - PR #14 @tjmnmk - README "Options reference" table - PR #14 @tjmnmk - usage() and README options table extended for the v1.3.0 flags that were on the manpage side but missed in --help: --dry-run, --quiet, --verbose, --output-format {json|logfmt}, -p none. Now at parity. - New top-level "Threat model" section in README; new docs/DEFENSE-IN-DEPTH.md with autoload-trigger taxonomy and 5 hardening recipes that compose with ModuleJail. - New examples/blocked-module-popup.sh (contributed by @teou1, issue #12) - AUR PKGBUILD switched to sequoia-sqv signature verification per AUR commenter @Velocifyer No flag or CLI behavior changes; v1.1.4 byte-identical install-line body preserved (6363/6363 install lines). Signed with RSA key 095F5C8B39AF010E7B615CD4487BC00D69C2A955 (ModuleJail Releases). See CHANGELOG.md for the full list. See docs/DEFENSE-IN-DEPTH.md for the new threat-model documentation.
PreviousNext