pyplugins.interventions.kmods module¶
Kernel Module Tracker¶
This plugin tracks and controls kernel module loading attempts in the guest system. By default, it blocks all kernel module loading except for igloo.ko (the internal framework module). Optionally, an allowlist can be configured to allow specific kernel modules to load, or a denylist to explicitly block specific modules.
Features¶
Intercepts init_module and finit_module syscalls
Tracks all kernel module loading attempts to modules.log
Blocks module loading (except igloo.ko) by default
Supports allowlist for specific modules to allow them to load
Supports denylist for explicit blocking of specific modules
Configuration¶
To enable the plugin with default behavior (block all except igloo.ko):
plugins:
kmods: {}
To allow specific modules to load, provide an allowlist:
plugins:
kmods:
allowlist:
- wireguard
- nf_conntrack
- xt_TCPMSS
To explicitly block specific modules, provide a denylist:
plugins:
kmods:
denylist:
- suspicious_module
- untrusted_driver
To reduce logging verbosity, enable quiet mode:
plugins:
kmods:
quiet: true
Both lists can be used together. Denylist takes precedence over allowlist. Module names should not include the .ko extension or path. When quiet is set to true, only errors are logged; otherwise, info-level logs are shown (default).
Outputs¶
modules.log: List of all kernel modules that were attempted to be loaded
- class pyplugins.interventions.kmods.KmodTracker[source]¶
Bases:
PluginTracks and controls kernel module loading in the guest system.
This plugin intercepts kernel module loading syscalls and can either block them (default behavior), allow specific modules via allowlist, or explicitly block specific modules via denylist.
- Attributes:
allowlist (list): List of kernel module names allowed to load denylist (list): List of kernel module names to explicitly block quiet (bool): If True, set log level to error; if False, use info level
- finit_module(regs, proto, syscall, fd, param_values, flags)[source]¶
Handle the finit_module syscall to track and optionally block module loading.
This method intercepts attempts to load kernel modules via the finit_module syscall (which loads modules from a file descriptor). It tracks all module loading attempts and blocks modules unless they are allow-listed.
- Args:
regs: CPU register state proto: Syscall prototype syscall: Syscall object with retval and skip_syscall attributes fd: File descriptor of the kernel module file param_values: Module parameters flags: Module loading flags
- Yields:
Results from plugins.osi.get_fd_name to retrieve the module path
- init_module(regs, proto, syscall, module_image, size, param_values)[source]¶
Handle the init_module syscall to track and optionally block module loading.
This method intercepts attempts to load kernel modules via the init_module syscall. It always allows igloo.ko to load, tracks all other module loading attempts, and blocks modules unless they are allow-listed.
- Args:
regs: CPU register state proto: Syscall prototype syscall: Syscall object with retval and skip_syscall attributes module_image: Pointer to module image in memory size: Size of the module image param_values: Module parameters
- Yields:
Results from plugins.osi calls for process and file descriptor information
- is_allowed(kmod_path)[source]¶
Check if a kernel module is in the allowlist. Extracts the module name from the path and checks against allowlist.
- Args:
kmod_path: Path to the kernel module (e.g., “/lib/modules/foo.ko”)
- Returns:
True if the module is in the allowlist, False otherwise
- Parameters:
kmod_path (str)
- Return type:
bool
- is_denied(kmod_path)[source]¶
Check if a kernel module is in the denylist. Extracts the module name from the path and checks against denylist.
- Args:
kmod_path: Path to the kernel module (e.g., “/lib/modules/foo.ko”)
- Returns:
True if the module is in the denylist, False otherwise
- Parameters:
kmod_path (str)
- Return type:
bool