Linux kernel module management is the process of adding and removing kernel functionality as needed. A Linux kernel module is a self-contained driver library file. The advantage of modules, versus including all module features into the Linux kernel, is that it keeps the Linux kernel lighter and more easily customizable by the end users. As an added bonus, modules can be added/removed from the kernel dynamically, without rebooting the system.
In this article on Linux kernel module management, Secur examines:
- Types of kernel modules
- Files storage location, and
- Module configuration file locations.
- Dynamic linking and unlinking of modules.
- Viewing module information.
- Remove Linux kernel modules.
Understanding Linux Kernel Modules
Kernel modules can be classified into the following categories
- Device driver: Facilitates communication with hardware devices.
- Executable loader: Allows additional executable formats to load.
- Filesystem driver: Required for filesystem IO.
- Network driver: Implement network protocols.
- System calls: Provides functions for adding/modifying system services.
The screenshot below shows the different files and directories you will encounter when working with modules:
- Modules required to support a kernel are stored in the /lib/modules/ directory tree.
- In the first example below, note that each Linux kernel version on a system has its own subdirectory within the “/lib/modules/ directory”.
- As with all Linux distributions, there may be some variation in the implementation of this directory.
- The last two examples show the that the /lib/modules/ directory the /usr/lib/modules/ directory are hard linked to one another and are the same directory with different names as demonstrated by the same inode number.
As with everything Linux, kernel modules are customizable to define any parameters required (e.g. hardware settings essential) for the device to operate. Older Linux distributions handle customization through a single configuration file, “/etc/modules.conf“, while have the following configuration directories (Within each configuration directory there are multiple configuration files that have a .conf file extension name as can bee seen in the screenshot below):
- “/etc/modprobe.d/” or “/etc/modules-load.d/“: configuration files generated at system installation or created by an administrator.
- “/lib/modprobe.d/“: holds third-party software generated configuration files.
- “/usr/lib/modprobe.d/“: may or may not exists; often hard linked to “/lib/ modprobe.d/” directory.
- “run/modprobe.d/“: holds runtime generated configuration files.
The “systemd-modules-load.service” handles loading kernel modules at boot time in “systemd” systems; you can find the directories it may load modules from by using “grep” on the service unit file to search for the “ConditionDirectoryNotEmpty” directive.
Many device driver kernel modules load at either:
- System boot time
- Dynamically when hardware devices attached to the system.
There are a number of utilities you can use if there are problems with loading of device driver kernels:
- dmesg: Displays the current kernel ring buffer, a fixed-size memory data structure in memory.
- Shaped more like a tube than a ring.
- As new messages enter into the buffer, older messages move toward the structure’s end and the oldest messages “drop out” of the buffer.
- Module failure sometimes triggers a kernel message that is viewable with the “dmesg” command.
- Some distributions may take a snapshot of the kernel ring buffer at start up and store the data in a file (usually “/var/log/dmesg” file). Both of these ring buffer information sources can help you track down kernel module problems.
- As seen in the screenshot below, “dmesg” outputs the current kernel ring buffer to STDOUT. In this screenshot, we used “dmesg” to with grep to search for module messages related to the term “module”.
- Shaped more like a tube than a ring.
- lsmod: brief module information. The second example in the screenshot below shows the use of the command to show module status. Each module is listed on a separate line, and shows the number of processes or modules using it as well as if another kernel module is using it.
- The “/proc/modules” file’s contents provides the same information that “lsmod” does.
- modinfo: Find out more detailed information concerning a particular kernel module via the modinfo utility. The second screenshot below shows it being used to get information on the “drm” kernel module, including the module’s version number.
- Kernel module files usually have the .ko file extension.
Installing Linux Kernel Modules
n most situations, Linux automatically loads modules on an as needed basis, but this doesn’t do much if you want to experiment with a new module configuration or module. In these situations, you will need to get your hands dirty with some manual Linux kernel module management as you will need to know how to insert/load modules using the following utilities.
- insmod: Allows the insertion of a single module into the Linux kernel.
- Must provide an absolute directory reference to the module file.
- Does not load any needed module dependencies.
- In the screenshot below, the system is checked for a loaded module named of “cmac” using “lsmod” and it is not found.
- “insmod” inserts the module into the kernel using its full file name and directory location.
- “lsmod” runs again to show that the module is loaded into the kernel.
- modprobe: Easier to use than “insmod” as you can indicate modules by their module name (as seen in the screenshot below).
- Also loads any dependencies.
- The “modprobe” command used the “-v” switch to display more information while it inserts the indicated “dm_mirror” module as well as its unloaded dependencies.
- In the screenshot below, you can see the loading of the 2 dependencies in addition to the “dm_mirror” module
- Works by calling the insmod utility to perform the insertions.
- Also loads any dependencies.
- As demonstrated in the screenshot below “modprobe” uses the “modules.dep” file, located in the “/lib/modules/” subdirectory, to determine any module dependencies.
- Using the “grep” program, the modules.dep file is searched for the word “mirror” to discover dependencies, and locate the module’s file name within the file. After the colon (:), the module’s dependencies are listed by their full module file name.
- For the dm_mirror modules (dm-mirror.ko), the module dependencies are:
- dm-region-hash.ko
- dm-log.ko
- For the dm_mirror modules (dm-mirror.ko), the module dependencies are:
- depmod: Scans through the system in order to find hardware that was not automatically detected.
- Used for troubleshooting problems with new devices.
- The screenshot below shows the “depmod” utility:
- Scanning the system
- Determining any needed modules
- Reviewing modules’ dependencies,
- Updating the appropriate modules.dep file.
- Displays its activity to STDOUT.
Removing Linux Kernel Modules
Knowing how to remove things (old clothes, ex spouses, etc) from aspects of your life is an important skill and is a critical part of Linux Kernel Module Management as some modules represent critical security risks and there are two Linux modules you will rely on:
- rmmod: Removes a module with no dependencies.
- Understands module names
- Once the module is removed, the “lsmod” utility no longer displays the module’s name.
- modprobe: Add the “-r” switch to remove modules that have dependencies.
- Using the “-v “switch provides progress output
- If the module was not loaded to begin with, you get no feedback and just get a command-line prompt.
