killswitch: per-function short-circuit mitigation primitive

14 points by val

jcspencer

While I like the idea, it’s a shame there isn’t an allowlist-only mode for kernel modules (rather than playing blacklist whack-a-mole) - especially with AF_ALG being deprecated [1], and a lot of other less-maintained / more niche kernel components being loadable by default on a lot of distros.

In a lot of fixed-function environments, I can foresee kernel.modules_disabled=1 will start becoming more common too.

Sidenote: the “mainline kernel commit with a suspiciously benign description that changes bounds checks” approach to security patches isn’t really proving effective at fooling anyone…

[1] https://lkml.org/lkml/2026/4/29/2166

srtcd424

I implemented the nixos version of modules_disabled on my vps yesterday, and it was relatively painless. It seems to run late enough to allow nearly everything necessary to load, only thing I had to manually preload was af_packet for dhcpcd (TBF that locked me out of being able to ssh in, but I knew I had console access so I didn't bother to take a precautionary approach.)
- sigmonsez
  
  Can you share some details on this?
  - srtcd424
    
    It ended up just being:
    
    security.lockKernelModules = true; boot.kernelModules = [ "wireguard" "af_packet" ];
    
    in my config! (not even sure I needed to manually list wireguard, but just in case.)
  - sigmonsez
    
    Found some details https://dfir.ch/posts/today_i_learned_lkm_kernel.modules_disabled/ First time hearing of this, interesting approach