HEADS UP: Modification of the semantics of hardening.pax.kmod_load_disable
5 views
Skip to first unread message
Shawn Webb
May 27, 2026, 5:15:23 PM (8 days ago) May 27
to HardenedBSD Users
Hey all,
Just a little heads up: I added logic to the
hardening.pax.kmod_load_disable sysctl node. Previously, setting the
node to any non-zero value meant a reboot was required to set it back
down to 0. I've modified that logic a bit:
0: Permit loading kernel modules
1: Prohibit loading kernel modules
2: Prohibit loading kernel modules, require reboot to re-enable
support
Since changing this logic is a bit of a POLA violation, I thought it
warranted a notice to the community. Users who set it to 1 prevously
would do well to evaluate whether setting it to 2 makes sense (I would
think it should.)
Link to commit:
https://radicle.network/nodes/rad.hardenedbsd.org/rad%3Az2HLHXgL1xevBNQsf8BmQW7MpJmtm/commits/b3292e2e45238a31fe220af075260de0bc74eac3
Thanks,
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
Signal Username: shawn_webb.74
Tor-ified Signal: +1 (719) 756-1197 / shawn_webb_opsec.02
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
Just a little heads up: I added logic to the
hardening.pax.kmod_load_disable sysctl node. Previously, setting the
node to any non-zero value meant a reboot was required to set it back
down to 0. I've modified that logic a bit:
0: Permit loading kernel modules
1: Prohibit loading kernel modules
2: Prohibit loading kernel modules, require reboot to re-enable
support
Since changing this logic is a bit of a POLA violation, I thought it
warranted a notice to the community. Users who set it to 1 prevously
would do well to evaluate whether setting it to 2 makes sense (I would
think it should.)
Link to commit:
https://radicle.network/nodes/rad.hardenedbsd.org/rad%3Az2HLHXgL1xevBNQsf8BmQW7MpJmtm/commits/b3292e2e45238a31fe220af075260de0bc74eac3
Thanks,
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
Signal Username: shawn_webb.74
Tor-ified Signal: +1 (719) 756-1197 / shawn_webb_opsec.02
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
Reply all
Reply to author
Forward
0 new messages