Sysadmin Creates 'ModuleJail' To Automatically Blacklist Unused Kernel Modules (github.com)
(Sunday May 17, 2026 @11:34AM (EditorDavid)
from the do-not-pass-Go dept.)
- Reference: 0183243197
- News link: https://news.slashdot.org/story/26/05/16/2110220/sysadmin-creates-modulejail-to-automatically-blacklist-unused-kernel-modules
- Source link: https://github.com/jnuyens/modulejail/tree/master
Long-time Slashdot reader [1]internet-redstar shares an interestging response to "the recent wave of Linux kernel privilege escalation vulnerabilities like ' [2]Copy Fail ' and ' [3]Dirty Frag '":
> Belgian Linux sysadmin and Tesla Hacker "Jasper Nuyens" got tired of the idea of manually blacklisting dozens or even hundreds of obscure kernel modules across large fleets of Linux systems in the near future. So he wrote [4]ModuleJail , a GPLv3 shell script that scans a running Linux system and automatically blacklists currently unused kernel modules, reducing kernel attack surface without requiring a reboot. The idea is simple: many modern Linux privilege escalation bugs target obscure or rarely used kernel functionality that is still enabled by default on servers that do not actually need it. [5]ModuleJail works across major distributions including Debian, Ubuntu, RHEL, Fedora, AlmaLinux and Arch Linux, generating 1 modprobe blacklist rules file while preserving commonly-used modules.
>
> Nuyens argues that the increasing speed of AI-assisted vulnerability discovery will likely turn kernel hardening and attack surface reduction into a much bigger operational priority for sysadmins over the next few weeks and months.
[1] https://slashdot.org/~internet-redstar
[2] https://it.slashdot.org/story/26/04/30/207231/new-linux-copy-fail-vulnerability-enables-root-access-on-major-distros
[3] https://linux.slashdot.org/story/26/05/08/1913238/new-linux-dirty-frag-zero-day-gives-root-on-all-major-distros
[4] https://github.com/jnuyens/modulejail/tree/master
[5] https://github.com/jnuyens/modulejail/tree/master
> Belgian Linux sysadmin and Tesla Hacker "Jasper Nuyens" got tired of the idea of manually blacklisting dozens or even hundreds of obscure kernel modules across large fleets of Linux systems in the near future. So he wrote [4]ModuleJail , a GPLv3 shell script that scans a running Linux system and automatically blacklists currently unused kernel modules, reducing kernel attack surface without requiring a reboot. The idea is simple: many modern Linux privilege escalation bugs target obscure or rarely used kernel functionality that is still enabled by default on servers that do not actually need it. [5]ModuleJail works across major distributions including Debian, Ubuntu, RHEL, Fedora, AlmaLinux and Arch Linux, generating 1 modprobe blacklist rules file while preserving commonly-used modules.
>
> Nuyens argues that the increasing speed of AI-assisted vulnerability discovery will likely turn kernel hardening and attack surface reduction into a much bigger operational priority for sysadmins over the next few weeks and months.
[1] https://slashdot.org/~internet-redstar
[2] https://it.slashdot.org/story/26/04/30/207231/new-linux-copy-fail-vulnerability-enables-root-access-on-major-distros
[3] https://linux.slashdot.org/story/26/05/08/1913238/new-linux-dirty-frag-zero-day-gives-root-on-all-major-distros
[4] https://github.com/jnuyens/modulejail/tree/master
[5] https://github.com/jnuyens/modulejail/tree/master
Great idea. (Score:2)
by Petersko ( 564140 )
I followed something similar in philosophy when I was supporting a mammoth critical legacy system. Not quite as automated, of course. I had sat down with the clients to go over the module list to see what we could deprecate. Turns out they thought nothing was okay to remove. Two years later I embarked on a strategy.
- Identified a series of modules and functions I thought were disused
- Installed logging to identify access and usage, and monitored it for a period
- Turned stuff off and waited for somebody to c
Old times (Score:2)
Remember the old times when kernel modules were considered a security risk, thus disabled altogether?
When OpenBSD was boasting its monolithic kernel as a security features?
IIRC, some commercial *nix OSs didn't had modules for reasons of being archaic fossils. But then more recently, couple decades later, also rebranded it into a safety and a security feature.