# Disable algif modules (CVE-2026-31431)
install algif_aead /bin/false
install algif_skcipher /bin/false
install algif_hash /bin/false
install algif_rng /bin/false
install algif_akcipher /bin/false
# Disable nf_tables (CVE-2023-32233, CVE-2024-1086, CVE-2023-0179)
install nf_tables /bin/false

# Physical attack vectors
install usb-storage /bin/false
install firewire-core /bin/false
install thunderbolt /bin/false

# Rarely needed, potential LPE
install cramfs /bin/false
install freevxfs /bin/false
install jffs2 /bin/false
install hfs /bin/false
install hfsplus /bin/false
install squashfs /bin/false
install udf /bin/false