ModuleJail Blocks Unused Linux Kernel Modules to Limit Attack Surface
ModuleJail Blocks Unused Linux Kernel Modules to Limit Attack Surface
https://linuxiac.com/modulejail-blocks-unused-linux-kernel-modules-to-limit-attack-surface/
Publish Date: 2026-05-18 09:26:00
Source Domain: linuxiac.com
After three critical Linux kernel vulnerabilities, Copy Fail, Dirty Frag, and Fragnesia, were reported in just two weeks, the Linux community began looking for ways to address the problem.
One proposed solution was Kernel Killswitch, and now a similar idea has emerged: ModuleJail – a Linux hardening project that blacklists unused kernel modules to reduce the attack surface from recent local privilege escalation flaws.
ModuleJail is implemented as a single POSIX shell script. It scans currently loaded modules, compares them to the full module tree under /lib/modules/$(uname -r), and creates a modprobe.d blacklist for unused modules. By default, the blacklist is saved at /etc/modprobe.d/modulejail-blacklist.conf.
In fact, most Linux systems include thousands of kernel modules, but use only a small subset. If an unused module contains a privilege escalation flaw, the system remains at risk if the module can be loaded later. ModuleJail addresses this by preventing unused modules from being autoloaded.
It is important to understand that ModuleJail does not patch these vulnerabilities or detect vulnerable modules. Instead, it takes a broader defensive approach by limiting access to unnecessary kernel functionality.
According to the documentation, ModuleJail preserves modules already loaded on the host, a built-in baseline of essential modules, and any modules specified in an optional sysadmin whitelist. All other modules are blacklisted using install /bin/true directives in a modprobe.d-compatible file.
ModuleJail is intended as a one-time hardening tool, not a background service. It does not include a daemon, continuous monitoring, CVE database lookup, module risk scoring, or AI features. Its approach relies solely on whether a module is currently loaded on a known-good system.
This safety model also defines its main limitation. ModuleJail should be run only after the system reaches a steady state, with all services started, filesystems…
