/usr/local/lib/modprobe.d/*.conf is ignored

Hi,

The man page of modprobe.d specifies possible locations of *.conf files. One of them is:

/usr/local/lib/modprobe.d/*.conf

However, when I put there a valid config file (which works in /etc/modprobe.d/), it has no effect, even with nothing in /etc/modprobe.d. It doesn’t matter if I do this in template or in AppVM.

Is that something specific to Qubes due to how it handles /rw?

Yeah your module is probably being loaded too soon, before the usr-local.mount unit.

Thanks for the quick reply!

What other ways to handle per-VM kernel modules blacklisting can be used? (Besides modifying qvm-prefs <VM> kerpnelopts)

None that I know of.

systemd service with after=usr-local.mount and modprobe invocation maybe?
Use bind-dirs to insert your own *.conf to /etc/modprobe.d/?

@KitsuneNoBaka

Won’t that delay blacklisting too much, thus making something stepping in earlier (including through /rw) and (mis)using a module before it gets blacklisted?

Dunno, but if you can’t load blacklist from /usr/lib/modprobe.d/ then try from /etc/modprobe.d/, and for that to work per qube there is bind-dirs. It runs before rc.local and if you do it with systemd service files you don’t need to reload systemd so it means it runs before, I think.

bind-dirs uses the ‘private’ volume that’s mounted at /rw, so it’s too late just like /usr/local (which is really /rw/usrlocal).

If unloading (rather than only blacklisting) the module works for your use case, you could do that in rc.local

What about inserting files to /etc/modprobe.d/ by script run from /etc/rc.d/ made in template but only in a given qube by using qvm-features appVMqube vm-config.modprobe-blacklist myblacklist.sh and rc.d script that read qubesdb-read /vm-config/modprobe-blacklist and execute myblacklist.sh?

What about inserting files to /etc/modprobe.d/ by script run from /etc/rc.d/ made in template but only in a given qube by using qvm-features appVMqube vm-config.modprobe-blacklist myblacklist.sh and rc.d script that read qubesdb-read /vm-config/modprobe-blacklist and execute myblacklist.sh?

myblacklist.sh would still need to read the list of modules from a mounted /rw or bind dir, i.e. time-wise it should not be different, I guess.

The problem I see with kernelopts is that it might be challenging to have a long list of modules. Do you guys know what is the limit of that string?