From 3e604618a8ba2531553af4f9af00470bd9629615 Mon Sep 17 00:00:00 2001
From: monsieuremre <130907164+monsieuremre@users.noreply.github.com>
Date: Thu, 2 Nov 2023 10:24:35 +0000
Subject: [PATCH 1/6] harden-module-loading.service

---
 lib/systemd/system/harden-module-loading.service | 13 +++++++++++++
 1 file changed, 13 insertions(+)
 create mode 100644 lib/systemd/system/harden-module-loading.service

diff --git a/lib/systemd/system/harden-module-loading.service b/lib/systemd/system/harden-module-loading.service
new file mode 100644
index 00000000..fb6f6fe9
--- /dev/null
+++ b/lib/systemd/system/harden-module-loading.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=Disable the loading of modules to the kernel after startup. This could be malicious.
+After=systemd-modules-load.service
+# This functionality is implemented with this and not directly in the sysctl config is
+# to allow systemd-modules-load.service to load the modules with no problem but
+# to disallow anyone else do the same after the system boots up.
+
+[Service]
+Type=oneshot
+ExecStart=/usr/libexec/security-misc/disable-kernel-module-loading
+
+[Install]
+WantedBy=sysinit.target

From 9f063584c1f96267b04f8f7fe0eee773f9345370 Mon Sep 17 00:00:00 2001
From: monsieuremre <130907164+monsieuremre@users.noreply.github.com>
Date: Thu, 2 Nov 2023 10:28:41 +0000
Subject: [PATCH 2/6] disable-kernel-module-loading

---
 usr/libexec/security-misc/disable-kernel-module-loading | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 usr/libexec/security-misc/disable-kernel-module-loading

diff --git a/usr/libexec/security-misc/disable-kernel-module-loading b/usr/libexec/security-misc/disable-kernel-module-loading
new file mode 100644
index 00000000..47b5f717
--- /dev/null
+++ b/usr/libexec/security-misc/disable-kernel-module-loading
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+sysctl -w kernel.modules_disabled=1
+
+echo "The loading of new modules to the kernel has been disabled by security-misc" >&2

From 07882f61a8003026a9e4c135a6e18a8fd204060f Mon Sep 17 00:00:00 2001
From: monsieuremre <130907164+monsieuremre@users.noreply.github.com>
Date: Thu, 2 Nov 2023 10:44:19 +0000
Subject: [PATCH 3/6] enable service on install

not sure if this would be the right way to do it
---
 debian/security-misc.postinst | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst
index 04410d95..3c9bcb20 100644
--- a/debian/security-misc.postinst
+++ b/debian/security-misc.postinst
@@ -61,6 +61,8 @@ pam-auth-update --package
 /usr/libexec/security-misc/permission-lockdown
 permission_hardening
 
+systemctl enable disable-module-loading.service
+
 ## https://phabricator.whonix.org/T377
 ## Debian has no update-grub trigger yet:
 ## https://bugs.debian.org/481542

From a187d23c4187fd08611e5cba85d09666dfd9f735 Mon Sep 17 00:00:00 2001
From: monsieuremre <130907164+monsieuremre@users.noreply.github.com>
Date: Sat, 4 Nov 2023 20:56:08 +0000
Subject: [PATCH 4/6] big fix

---
 lib/systemd/system/harden-module-loading.service | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/systemd/system/harden-module-loading.service b/lib/systemd/system/harden-module-loading.service
index fb6f6fe9..703658cb 100644
--- a/lib/systemd/system/harden-module-loading.service
+++ b/lib/systemd/system/harden-module-loading.service
@@ -1,6 +1,7 @@
 [Unit]
 Description=Disable the loading of modules to the kernel after startup. This could be malicious.
 After=systemd-modules-load.service
+Before=sysinit.target
 # This functionality is implemented with this and not directly in the sysctl config is
 # to allow systemd-modules-load.service to load the modules with no problem but
 # to disallow anyone else do the same after the system boots up.

From 19eceaa8108879ee5477b157fb2175993c487959 Mon Sep 17 00:00:00 2001
From: monsieuremre <130907164+monsieuremre@users.noreply.github.com>
Date: Sat, 4 Nov 2023 20:56:46 +0000
Subject: [PATCH 5/6] more fix

---
 usr/libexec/security-misc/disable-kernel-module-loading | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/usr/libexec/security-misc/disable-kernel-module-loading b/usr/libexec/security-misc/disable-kernel-module-loading
index 47b5f717..6d4d25de 100644
--- a/usr/libexec/security-misc/disable-kernel-module-loading
+++ b/usr/libexec/security-misc/disable-kernel-module-loading
@@ -2,4 +2,4 @@
 
 sysctl -w kernel.modules_disabled=1
 
-echo "The loading of new modules to the kernel has been disabled by security-misc" >&2
+echo "The loading of new modules to the kernel has been disabled by security-misc"

From 2e64d89b042227fe5f38bb6d6a859deb4c5183b7 Mon Sep 17 00:00:00 2001
From: monsieuremre <130907164+monsieuremre@users.noreply.github.com>
Date: Sat, 4 Nov 2023 21:18:45 +0000
Subject: [PATCH 6/6] undo unnecessary manual activation

---
 debian/security-misc.postinst | 2 --
 1 file changed, 2 deletions(-)

diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst
index 3c9bcb20..04410d95 100644
--- a/debian/security-misc.postinst
+++ b/debian/security-misc.postinst
@@ -61,8 +61,6 @@ pam-auth-update --package
 /usr/libexec/security-misc/permission-lockdown
 permission_hardening
 
-systemctl enable disable-module-loading.service
-
 ## https://phabricator.whonix.org/T377
 ## Debian has no update-grub trigger yet:
 ## https://bugs.debian.org/481542