How do I blacklist a kernel module to prevent it from loading automatically?

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 4
  • Red Hat Enterprise Linux 5
  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 8

Issue

  • How do I blacklist a kernel module to prevent it from loading automatically?
  • How to disable a kernel module?

Resolution

  • In order to prevent kernel modules loading during boot, the module name must be added into the blacklist file.

  • Ensure the module is not configured to load either in /etc/modprobe.conf, /etc/modprobe.d/*, /etc/rc.modules, or /etc/sysconfig/modules/* before making the following modifications.

  • Due to differences between the various versions of RHEL, please be sure to follow the appropriate steps for your system's version below:

    • The shared steps for RHEL 5, 6, 7, 8 followed by the specific steps for each version
    • The steps for RHEL 4

Shared Initial Steps for Red Hat Enterprise Linux 5, 6, 7 and 8

Kernel modules can be loaded directly, loaded as a dependency from another module, or during the boot process -- because of this, we need to take several measures to keep the module from being loaded.

 modprobe -r module_name                                                        #step1
 echo "blacklist module_name" >> /etc/modprobe.d/local-blacklist.conf           #step2
 echo "install module_name /bin/false" >> /etc/modprobe.d/local-blacklist.conf  #step3
  • [step1 above] First we unload the module from the running system, if it is loaded.

  • [step2 above] To prevent a module from being loaded directly you add the blacklist line to a configuration file specific to the system configuration -- for example /etc/modprobe.d/local-blacklist.conf.

    • This alone will not prevent a module being loaded if it is a required or optional dependency of another module. Some kernel modules will attempt to load optional modules on demand, which we mitigate in the next step.
  • [step3 above] The install line simply causes /bin/false to be run instead of installing a module. (The same can be achieved by using /bin/true.)

    • This change will take effect the next time that the module is attempted to load. There may be unexpected side affects if a module is blacklisted that is required for other specific hardware.
  • Now please continue with the relevant steps for your system's version of RHEL:


Finishing Steps for Red Hat Enterprise Linux 7 and 8 only

  cp /boot/initramfs-$(uname -r).img /boot/initramfs-$(uname -r).img.$(date +%m-%d-%H%M%S).bak                       #step4
  dracut --omit-drivers module_name -f                                                                               #step5
  sed -i '/^GRUB_CMDLINE_LINUX=/s/"$/ module_name.blacklist=1 rd.driver.blacklist=module_name"/' /etc/default/grub   #step6
  grub2-mkconfig -o /boot/grub2/grub.cfg                                                                              #step7
  cp /boot/initramfs-$(uname -r)kdump.img /boot/initramfs-$(uname -r)kdump.img.$(date +%m-%d-%H%M%S).bak             #step8
  sed -i '/^KDUMP_COMMANDLINE_APPEND=/s/"$/ rd.driver.blacklist=module_name"/' /etc/sysconfig/kdump                   #step9
  kdumpctl restart                                                                                                   #step10
  mkdumprd -f /boot/initramfs-$(uname -r)kdump.img                                                                   #step11
  reboot                                                                                                             #step12
  • [step4 above] Make a backup copy of your initramfs.

  • [step5 above] If the kernel module is part of the initramfs (boot configuration), rebuild your initial ramdisk image, omitting the module to be avoided (see How to rebuild the initial ramdisk image in Red Hat Enterprise Linux for more information).

  • [step6 above] Append module_name.blacklist to the kernel cmdline. We give it an invalid parameter of blacklist and set it to 1 as a way to preclude the kernel from loading it. Here we also set rd.driver.blacklist as another method of preventing it from being loaded.

  • [step7 above] Reinstall grub2 to put the kernel cmdline changes into effect. If your system uses UEFI, the path must be changed to /boot/efi/EFI/redhat/grub.cfg

  • [step8 above] Make a backup copy of the kdump initramfs.

  • [step9 above] Append rd.driver.blacklist=module_name to the KDUMP_COMMANDLINE_APPEND setting in /etc/sysconfig/kdump. This will cause it to be omitted from the kdump initramfs.

  • [step10 above] Restart the kdump service to pick up the changes to kdump's initrd.

  • [step11 above] Rebuild the kdump initial ramdisk image.

  • [step12 above] Reboot the system at a convenient time to have the changes take effect.


Finishing Steps for Red Hat Enterprise Linux 6 only

 cp /boot/initramfs-$(uname -r).img /boot/initramfs-$(uname -r).img.$(date +%m-%d-%H%M%S).bak   #step4
 dracut --omit-drivers module_name -f                                                           #step5
 sed -i '/\s*kernel \/vmlinuz/s/$/ module_name.blacklist=1/' /etc/grub.conf                     #step6
 echo "blacklist module_name" >> /etc/kdump.conf                                                #step7
 service kdump restart                                                                          #step8
 reboot                                                                                         #step9
  • [step4 above] Make a backup copy of your initramfs.

  • [step5 above] If the kernel module is part of the initramfs (boot configuration), rebuild your initial ramdisk image, omitting the module to be avoided (see How to rebuild the initial ramdisk image in Red Hat Enterprise Linux for more information).

  • [step6 above] Append module_name.blacklist to the kernel cmdline. We give it an invalid parameter of blacklist and set it to 1 as a way to preclude the kernel from loading it.

  • [step7 above] Blacklist the kernel module in kdump's configuration file.

  • [step8 above] Restart the kdump service to pick up the changes to kdump's initrd.

  • [step9 above] Reboot the system at a convenient time to have the changes take effect.


Continued Steps for Red Hat Enterprise Linux 5 only

 cp /boot/initrd-$(uname -r).img /boot/initrd-$(uname -r).img.$(date +%m-%d-%H%M%S).bak   #step4
 mkinitrd -v --builtin=module_name                                                        #step5
 sed -i '/\s*kernel \/vmlinuz/s/$/ module_name.blacklist=1/' /boot/grub/grub.conf         #step6
 reboot                                                                                   #step7

Kernel modules can be loaded directly, loaded as a dependency from another module, or during the boot process -- because of this, we need to take several measures to keep the module from being loaded.

  • [step4 above] Make a backup copy of your initrd.

  • [step5 above] If the kernel module is part of the initrd (boot configuration), rebuild your initial ramdisk image. Use the --builtin=module_name flag to mkinitrd to have it skip the module in question.

  • [step6 above] Append module_name.blacklist to the kernel cmdline. We give it an invalid parameter of blacklist and set it to 1 as a way to preclude the kernel from loading it.

  • [step7 above] Reboot the system at a convenient time to have the changes take effect.


Red Hat Enterprise Linux 4

  • Add the following line to /etc/modprobe.conf:

      alias <module name> off
    
  • If the kernel module is part of the initrd (boot configuration), the initrd should be regenerated. Boot the affected kernel and run the following command to regenerate the affected kernel initrd.

      # mkinitrd /boot/initrd-$(uname -r).img $(uname -r)
    

Remove Module Temporarily

  • It is possible to remove any currently-loaded module by running:

      # modprobe -r <module name>
    

If the module can not be unloaded. A process or another module may still be using the module, terminate the process and unload the module using the module that is being removed.

Loading Modules

The procedure for loading modules is available in the product documentation at:

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

11 Comments

I suggest to add the modules to a separate blacklist configuration file, e.g. /etc/modprobe.d/myblacklist.conf to have a clear distinction between the own blacklisted modules and the distribution shipped configuration file.

Also, after adding the module, the initramfs has to be regenerated to prevent the kernel module to be loaded during the initramfs phase, should the module be part of the initramfs image. To regenerate the initramfs, the user has to issue:

# dracut -f

To prevent the module to be loaded in the initramfs, without regenerating it, the kernel command line parameter rdblacklist=<module name> can be used on the kernel command line for RHEL-6.

For RHEL-7 the kernel command line parameter modprobe.blacklist=<module name> can be used to blacklist the module for the initramfs as well as the real root, without the need to create a modprobe.d configuration file and regeneration of the initramfs.

I have just checked the option above and the dracut option was not required . However you will need to make sure that If the module you are blacklisting is a dependency of another module, the blacklsting will fail. It will be still loaded.

I am new to Linux... But the "install /bin/false" should it be "install /bin/true"?? In the case of (CVE-2015-4167) https://bugzilla.redhat.com/show_bug.cgi?id=1228204. To block UDF module from loading, a file must added to /etc/modprobe.d/ directorywith "install udf /bin/true" to completely disabled UDF? For example, /etc/modprobe.d/udf.conf

Can you help us understand why you would consider /bin/true here to make more sense?
The "install $module /bin/false" will prevent $module from beeing loaded as part of a dependency by an other module. As the activity is not taking place, reporting back "false" seems to be appropriate to me.

Bumping this solution as it appears by the comments an update is needed to the solution.

This doesn't work for me... nothing I do blacklists the zfs module at boot.

I'd imagine because something else is forcibly loading it. This only prevents modprobe and autoloading, if some process attempts to force load it with insmod (zfs init scripts perhaps) it wont fix it. Consult your ZFS provider for information on how to prevent it from loading.

yes, the scripts, which are manually loading modules should use

modprobe -b

or

modprobe --use-blacklist

so, the modprobe honors any blacklist settings.

Link "Red Hat Enterprise Linux 7 System Administrator's Guide: Persistent Module Loading" (https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-Persistent_Module_Loading.html) is dead

Thank you, should be fixed.

Either dead again ... or moved.