modulejail: Proactively shrink a Linux host's kernel-module attack surface by blacklisting every module not currently in use
modulejail, a new open-source tool from developer J. Nuyens, aims to shrink the Linux kernel's attack surface by blacklisting all kernel modules not currently in use. The tool works by analyzing the currently loaded modules on a host, then generating a blacklist configuration that prevents any other modules from being loaded automatically. This proactive approach ensures that only necessary modules are available, reducing the risk of exploitation via unused or vulnerable kernel modules. The project is hosted on GitHub and is available under an open-source license. By default, Linux systems may load modules on demand when hardware is detected or when certain functionality is requested, which can inadvertently introduce security holes. modulejail locks down the module loading process, requiring explicit approval for any new module. This is particularly useful for servers and embedded systems where the kernel module set is static and well-defined. The tool does not remove modules that are already loaded; it only prevents future automatic loading of blacklisted modules. Users can still manually load modules if needed. The project includes scripts to generate the blacklist and integrate with systemd or initramfs. This approach complements other security measures like kernel hardening and SELinux.
Reduces kernel attack surface by blocking unused modules, lowering vulnerability risk.