I'd propose to add a per-process flag to irrevocably deny any loading of
kernel modules for the process and its children. The flag could be set
(but not unset) via prctl() and for unprivileged processes, only when
NoNewPrivileges is also set. This would be similar to CAP_SYS_MODULE,
but unlike capabilities, there would be no issues with namespaces since
the flag isn't namespaced.
The implementation should be very simple.
Preferably the flag, when configured, would be set by systemd, Firejail
and maybe also container managers. The expectation would be that the
permission to load modules would be retained only by udev and where SUID
needs to be allowed (NoNewPrivileges unset).
-Topi