whatisgithub

What is modulejail?

jnuyens/modulejail — explained in plain English

Analysis updated 2026-05-18

23ShellAudience · ops devopsComplexity · 3/5Setup · easy

In one sentence

A single shell script that shrinks a Linux server's kernel attack surface by blacklisting every kernel module that isn't currently in use.

Mindmap

mindmap
  root((ModuleJail))
    What it does
      Blacklists unused modules
      Shrinks attack surface
    Tech stack
      Shell script
      modprobe.d
    Use cases
      Harden server fleets
      Pre-audit hardening
      Reduce loaded modules
    Audience
      Sysadmins
      DevOps teams

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Harden a fleet of Linux servers against future kernel module vulnerabilities.

USE CASE 2

Shrink a single server's attack surface before a security audit.

USE CASE 3

Reduce the number of loaded kernel modules on a steady-state production host.

What is it built with?

ShellLinuxmodprobe

How does it compare?

jnuyens/modulejail5p00kyy/club-5060ticeliobjunior/clean-android-tv
Stars232323
LanguageShellShellShell
Setup difficultyeasyhardmoderate
Complexity3/53/52/5
Audienceops devopsdevelopergeneral

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · easy Time to first run · 5min

Best run on a steady-state host with all normal services and drivers already loaded, to avoid blacklisting something needed.

So what is it?

ModuleJail is a single shell script that reduces a Linux server's exposure to kernel security bugs by blocking every kernel module the system is not actually using right now. A typical Linux machine ships with thousands of kernel modules but only loads a few hundred of them, and each unused module that stays enabled is still a potential entry point if a security flaw is later found in it. The tool's idea is simple: if a module is not loaded when the script runs, add it to a blacklist file so the system will refuse to load it going forward. The project exists because AI assisted security research is expected to uncover a wave of long hidden bugs in Linux kernel modules over the coming months, arriving faster than sysadmins can patch every affected server. ModuleJail cannot fix any of those bugs, but it can immediately shrink the number of modules that could be affected on a given machine, buying operators time to schedule real patches instead of reacting to emergencies. It works by checking which modules are currently loaded and comparing that list against every module available for the running kernel. Anything not currently loaded, aside from a small built in set of essential modules and any modules a system administrator explicitly allows, gets written into a configuration file that blocks it from loading. There is no daemon, no ongoing monitoring, and no artificial intelligence inside the tool itself: it runs once and produces one file. It can be installed by piping a script from the project's GitHub page into a shell with administrator rights, though the README recommends downloading and reading the script first rather than running it blindly. Prebuilt packages are also available for Debian, Ubuntu, RHEL, Fedora, and Rocky Linux. Three built in profiles, minimal, conservative, and desktop, control how cautious the blacklist is, with desktop preserving modules for WiFi, Bluetooth, audio, and video hardware. This tool is meant for people who manage Linux servers and want a fast, low effort way to reduce their exposure to future kernel vulnerabilities without adding complex monitoring software.

Copy-paste prompts

Prompt 1
Walk me through running ModuleJail safely by inspecting the script before executing it.
Prompt 2
Explain the difference between the minimal, conservative, and desktop profiles.
Prompt 3
Help me set up a sysadmin whitelist so ModuleJail doesn't blacklist a module I need.
Prompt 4
Show me how to revert ModuleJail's changes if a needed module gets blocked.

Frequently asked questions

What is modulejail?

A single shell script that shrinks a Linux server's kernel attack surface by blacklisting every kernel module that isn't currently in use.

What language is modulejail written in?

Mainly Shell. The stack also includes Shell, Linux, modprobe.

How hard is modulejail to set up?

Setup difficulty is rated easy, with roughly 5min to a first successful run.

Who is modulejail for?

Mainly ops devops.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.