IBM Support

Preventing Built-in Kernel Module From Running

How To


Summary

This document describes how to prevent a kernel module that has been compiled into a kernel from being loaded and run at boot time.

Steps

In the Linux kernel, modules (sometimes known as drivers) can allow new functionality when needed. Rather than building all modules into the kernel, some can be left to load automatically if needed.

The practice of disabling kernel modules, known as blacklisting, is a fairly straightforward way to prevent these loadable modules from being inserted and run. However if you need to disable a module that has been compiled in to the kernel, how would you do that?

One way is to determine the "init" method of the module, and prevent that from running. This method usually initializes the module, setting up things like sockets, opening a device node, or allocating memory to be used.

The init routine may be called different things depending on the module. However it usually contains the word "init" in it, and can be found from the list of symbols the kernel uses, called the System.map file. This is usually found at /boot/System.map-KERNELVERSION, with the one matching the current kernel as /boot/System.map-$(uname -r) . This can also be seen on the running system from /proc/kallsyms .

Searching the System.map file for the module in question will give the symbols and routines added to the kernel by it, and the init routine can be observed as one of these.

To block the init method from being run at boot time, set the kernel variable "initcall_blacklist"" in the boot parameters.

One example can be seen using the kernel module "af_alg", which provides a user-space API for linux kernel cryptographic calls. This module is compiled in to the kernel, so conventional means of using a file in /etc/modprobe.d/ to block it will not work.

So first, we need to search for the initialization routine in either the System.map file or /proc/kallsyms

root# grep af_alg /boot/System.map-$(uname -r) | grep init

Using /proc/kallsyms the search can be done as a regular user:

$ grep af_alg /proc/kallsyms | grep init

And we find the routine:

000000000148c910 t af_alg_init

To block this from being used at boot time, we need to modify the kernel boot parameters, and add this initialization routine to the list of blocked ones, denoted by the variable "initcall_blacklist".

For Red Hat, use the "grubby" command:

root# grubby --args "initcall_blacklist=af_alg_init" --update-kernel ALL

For other distros use the appropriate method. For example on SUSE SLES the preferred way is to use yast2 or yast and go to, select System › Boot Loader › Boot Loader Settings › Kernel Parameters and add the kernel parameter.

After a reboot, the kernel module will not be loaded.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB70","label":"Z TPS"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSB9TW","label":"Linux on IBM Z"},"ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":""},{"Type":"MASTER","Line of Business":{"code":"LOB68","label":"Power HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SGMV168","label":"IBM Support for SUSE Linux Enterprise Server"},"ARM Category":[{"code":"a8m3p000000h9ynAAA","label":"SUSE Linux Enterprise Server-\u003EKernel"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"11.0.0;12.0.0;15.0.0"}]

Document Information

Modified date:
20 November 2025

UID

ibm17252011