Blocking loading of modules via alias

Archie1 · May 14, 2026, 11:29am

This is in related to to the dirty-frag vulnerability that was recently discovered. One of the mitigation steps given was to block the installation of the module esp4, esp6 and rxrpc. Typically that is done by putting a .conf file in the directory /etc/modprobe.d/ with the following content

install esp4 /bin/false
install esp6 /bin/false
install rxrpc /bin/false

blacklist esp4
blacklist esp6
blacklist rxrpc

But then I realized that each linux kernel module also has an alias. This can be found by running the command modinfo. And the module can be loaded via the alias. The details of some of the aliases are given below

$ modinfo esp4 
filename:       /lib/modules/XXXXXX/kernel/net/ipv4/esp4.ko.zst
alias:          xfrm-type-2-50
license:        GPL
description:    IPv4 ESP transformation library
...
,,,
$ modinfo esp6
filename:       /lib/modules/XXXXXX/kernel/net/ipv6/esp6.ko.zst
alias:          xfrm-type-10-50
license:        GPL
description:    IPv6 ESP transformation helpers
...
...
$ modinfo rxrpc
filename:       /lib/modules/XXXXX/kernel/net/rxrpc/rxrpc.ko.zst
alias:          net-pf-33
license:        GPL
author:         Red Hat, Inc.
...
...

So a user might still be able to load the modules esp4, esp6, rxrpc using the alias xfrm-type-2-50, xfrm-type-10-50, net-pf-33 respectively. This leads me to my question. How to prevent this? For each and every alias do we have to give instal <<ModuleAliasName>> /bin/false followed by blacklist <<ModuleAliasName>>? Or does something different have to be done?

ricklinux · May 14, 2026, 1:20pm

I don’t bother with this stuff. I leave it up to the kernel developers to fix these kind of issues related to vulnerabilities. But it’s your system!

Archie1 · May 14, 2026, 2:23pm

Well I wanted to know how to block loading of modules by using an alias.

cactux · May 14, 2026, 2:56pm

/etc/modprobe.d/disable-esp4.conf

blacklist esp4
install esp4 /bin/false
install xfrm-type-2-50 /bin/false

Won’t this be working? If it does, make a .conf for each module.

ricklinux · May 14, 2026, 3:01pm

You don’t need to use an alias. As @cactux said just make a .conf for each.

Archie1 · May 15, 2026, 5:37am

I am not sure, whether this will work or not. Hence the reason for my post over here.

cactux · May 15, 2026, 6:12am

Why wouldn’t you try and tell? It’s not that it is something which may break your system.
Or you want us to try it first and tell you?

Archie1 · May 15, 2026, 12:20pm

@cactux I was hoping that someone who has done this already or configured will be able to tell. That is why I had asked. Was banking on the knowledge of the crowd.

Allright so this is what I found. Using the following in a conf file present in /etc/modprobe.d/ directory

install <<ModuleName>> /bin/false

blocks the module from being loaded via the command modprobe <<ModuleName>>. This also blocks the module from being loaded via aliases of the module, i.e. modprobe <<ModuleAlias>>. What this does not block are the following

Any dependencies. If the <<ModuleName>> is dependent on some other module, that will get loaded.
Loading of the module using insmod <<AbsolutePathToModuleFile>>

However if we use the following in a conf file present in /etc/modprobe.d/ directory

install <<ModuleName>> /bin/false
blacklist <<ModuleName>>

blocks the module from being loaded via the command modprobe as well as via insmod

So to answer the question, yeah blocking the module by using install <<ModuleName> /bin/false will also block the loading of the module using its alias. But it does not stop insmod.

cactux · May 15, 2026, 12:28pm

Thanks for having tested and explained it so thoroughly! Now can the crowd bank on your knowledge

Archie1 · May 15, 2026, 12:35pm

I am not sure that will work in other Linux Distros.

Archie1 · May 16, 2026, 8:20am

@cactux will it be possible for you to redo the steps on a non-EOS distro that you have.

For modules you can use any of the following or any other module of your choice. These are simply examples.

blowfish-x86_64. Alias to be used crypto-blowfish-asm, blowfish-asm, crypto-blowfish. This is the blowfish Crypto algo
jfs. Alias to be used fs-jfs. This is the IBM’s Journal File system that is used in AIX.
firewire_sbp2. Alias to be used sbp2. This is the Firewire communication protocol for SCSI over IEEE1394

To remove the modules you can use modprobe --remove --verbose <<ModuleName>> or restart your system.

This is not urgent. whenever you have free time to do this. Just need a confirmation.

cactux · May 17, 2026, 7:49am

When/If I find the time. Perhaps! No promises.