Harden the Linux kernel. Lock down modules you never use.

Name: ModuleJail
Author: Jasper Nuyens

ModuleJail blocks on-demand loading of the kernel modules your system doesn't use - closing a path a local user or service account could use to exploit a bug in an obscure module and escalate to root.

Latest stable: v1.4.0

Install View source

Official Debian package
Available in the AUR
Fedora / RHEL packages
GPLv3
No telemetry
Single POSIX shell script

Reduce attack surface

Blocks autoloading of the kernel modules you never use, so the next bug in a module you don't run can't be reached.

Keeps what you use

Snapshots the modules your steady-state host actually loads and preserves them - everything unused gets blacklisted. No guesswork, no AI.

One script

A single POSIX shell script. No daemon, no agent, no telemetry - small enough to read end to end before you run it.

Why?

On-demand kernel-module autoloading runs modprobe as root via request_module() whenever an ordinary, unprivileged syscall needs an absent module - opening a socket(AF_VSOCK …), calling ioctl(TIOCSETD, …), and similar.

ModuleJail shrinks the set of modules that can be autoloaded. By disabling or guarding modules a system never legitimately uses, it removes attack surface you never use - closing the path by which a local unprivileged user or service account pulls in an obscure, buggy module and rides it to root.

What you get

Logs blocked attempts. Blocked autoload attempts are written to syslog (tag modulejail) by default, so they surface in journalctl -t modulejail instead of passing silently.
Profiles for servers and laptops. Choose conservative (servers and VMs, the default), desktop (laptops - keeps WiFi, Bluetooth, audio and video), or minimal.
Custom whitelists. Always keep site-specific modules, via an in-script WHITELIST= or an external /etc/modulejail/whitelist.conf.
Stays out of the initramfs. An opt-in hook strips the blacklist from rebuilt initramfs images, so a kernel upgrade can't bake in a stale blacklist and brick the next boot - the .deb, .rpm and AUR packages wire it up automatically.
Packages, plus a one-liner. In the official Debian archive (apt install modulejail) and the AUR for Arch and Manjaro; prebuilt .deb and .rpm on each GitHub release; and a one-line install for every other distro. See install options.
Instant off switch. Remove a single file to disable everything - instantly, with no reboot (the exact command is in the operational caveat below).

What ModuleJail does and does not do

What it does

Hardens against local privilege escalation - it shrinks the on-demand autoload surface a local unprivileged user or service account could use to reach root.
Protects best against the unknown: its value is largest against not-yet-discovered or unpatched bugs in modules you never use - surface you remove can't be exploited later.
Aids logging and troubleshooting by surfacing unexpected or malicious module-load events rather than letting them pass unseen.

What it does NOT do

It does NOT save memory - shrinking attack surface is not a resource optimization.
It does NOT protect against an attacker who already has root: it raises the unprivileged-to-root bar, not root-to-anything.
It makes NO remote-network protection claim - module autoload is overwhelmingly a local trigger surface.

Operational caveat

Adding new functionality to a running server can require un-jailing a module first - friction by design. ModuleJail logs these cases rather than failing silently. Removing the jail takes effect immediately:

sudo rm /etc/modprobe.d/modulejail-blacklist.conf

Install modulejail v1.4.0

Recipe for Any Linux Distribution

1. Install
Any Linux Distribution
```
curl -fsSL https://raw.githubusercontent.com/jnuyens/modulejail/v1.4.0/modulejail | sudo sh
```
It's a single POSIX shell script, so prefer to read it first: download with -o /tmp/modulejail, inspect, then run.
Debian / Ubuntu
```
sudo apt install modulejail
```
In the official Debian repository (unstable and testing).
On Ubuntu LTS or Debian stable, install the published package directly (it will be in the next release for Ubuntu LTS and Debian stable):
```
wget https://github.com/jnuyens/modulejail/releases/download/v1.4.0/modulejail_1.4.0_all.deb
sudo apt install ./modulejail_1.4.0_all.deb
```
RHEL / Rocky / Alma / Fedora
```
sudo dnf install https://github.com/jnuyens/modulejail/releases/download/v1.4.0/modulejail-1.4.0-1.noarch.rpm
```
Arch / Manjaro
```
yay -S modulejail
```
From the AUR with any helper (paru, pikaur, ...). Or build it manually:
```
git clone https://aur.archlinux.org/modulejail.git
cd modulejail
makepkg -si
```
2. Use it
```
sudo modulejail
```
Run once on a steady-state host: it snapshots the modules in use and blacklists the rest. Remove the file to undo, no reboot needed.
Example output
```
modulejail: blacklisted 6363 of 6474 unused modules
```

3. Confirm

less /etc/modprobe.d/modulejail-blacklist.conf

Inspect the generated blacklist - one install line per disabled module. Full reference: man 8 modulejail.

Example output

# install-line: /bin/sh + logger (syslog tag: modulejail)
install dccp /bin/sh -c 'logger -t modulejail "blocked: dccp"; exit 0'
install sctp /bin/sh -c 'logger -t modulejail "blocked: sctp"; exit 0'
install rds  /bin/sh -c 'logger -t modulejail "blocked: rds"; exit 0'

Documentation

Understanding profiles

Profiles decide which modules ModuleJail always keeps, regardless of what is loaded at run time:

minimal - core filesystems and essential modules only.
conservative (default) - minimal plus common server / VM drivers; the right choice for bare-metal and virtualised servers.
desktop - conservative plus WiFi, Bluetooth, audio, video and SD-card drivers; use it on laptops and workstations.

Select one with -p:

sudo modulejail -p desktop

Learning mode

ModuleJail does not guess and does not monitor over time. It reads the modules your host has loaded right now (/proc/modules) and keeps exactly that set, plus the chosen profile and your whitelist - everything else is blacklisted. So run it once the host is in a known-good, steady state: all services started, all drivers loaded.

Preview the would-be blacklist without writing anything:

sudo modulejail --dry-run

Once the jail is active, syslog records every blocked (failed) module-load attempt, so you can see exactly which modules a workload tried to pull in.

Need to enable new functionality that requires a blacklisted module? Remove the file, activate the functionality, then run ModuleJail again to regenerate the blacklist with the new module included:

sudo rm /etc/modprobe.d/modulejail-blacklist.conf
sudo modulejail

Custom whitelists

Keep site-specific modules beyond the baseline, two ways:

edit the WHITELIST= line near the top of the script, or
list them in /etc/modulejail/whitelist.conf (one module per line; auto-detected). The file can only be writable by the root user, or ModuleJail refuses to run.

For example, to always keep the CIFS client module:

echo cifs | sudo tee -a /etc/modulejail/whitelist.conf
sudo modulejail

Troubleshooting

Blocked autoload attempts are logged to syslog with the tag modulejail, so you can see what tried to load:

sudo journalctl -t modulejail --since '1 hour ago'

Need a blacklisted module back right now? Load it explicitly (no reboot):

sudo modprobe <module>

and re-apply the jail without blacklisting that module - it is loaded now, so ModuleJail keeps it:

sudo rm /etc/modprobe.d/modulejail-blacklist.conf
sudo modulejail

or remove the jail entirely:

sudo rm /etc/modprobe.d/modulejail-blacklist.conf

Source, manpage and full docs live in the tool repo on GitHub:

README / usage
What ModuleJail is and how to run it.
Defense in depth
How ModuleJail fits a layered hardening strategy.
Manpage modulejail(8)
The full command reference (rendered after install via man 8 modulejail).
Changelog
What changed between releases.

Full reference: man 8 modulejail.

Community

ModuleJail is an Open Source project. Sources, packages, and how to reach us:

Security reports can be encrypted: the maintainer's public keys are at github.com/jnuyens.gpg. After importing, confirm the signing-key fingerprint (gpg --fingerprint) matches:

095F 5C8B 39AF 010E 7B61 5CD4 487B C00D 69C2 A955

About the maintainer

ModuleJail is maintained by Jasper Nuyens, founder and CEO of Linux Belgium, a Belgian Linux consultancy and training company established in 2000.

Jasper is also co-founder of OpenSource Enterprise, an initiative focused on OpenSource infrastructure, virtualization and enterprise Linux solutions.

Outside of infrastructure and security work, Jasper is the creator of The Free Lantern, a Free Software music collective that releases openly licensed music and promotes OpenSource culture through music and art.

The tool was created to reduce Linux kernel attack surface on production systems and is released as GPL-3.0 Open Source software for the benefit of the wider Linux community.

For support, bug reports and contributions, please use the GitHub project pages.