2026-05-18
Link: https://github.com/jnuyens/modulejail/
HN Discussion: 1 points, 0 comments
The Linux kernel ships with hundreds of loadable modules covering ancient filesystems, exotic network protocols, obscure hardware drivers, and decades of accumulated functionality. Most production servers will never touch 95% of them — but every one of those modules is a potential attack surface. A vulnerability in an obscure filesystem driver that gets auto-loaded when a crafted USB stick is inserted, or a flaw in a rarely-used network protocol module that gets pulled in by a malicious packet, can hand an attacker kernel-level access.
Modulejail tackles this systematically. Rather than trying to enumerate which modules to allow (a maintenance nightmare on real systems), it apparently focuses on aggressive blacklisting of modules that have no business being loaded on a typical production host. Think:
jfs, reiserfs, befs, cramfs, hfs, udf — all of which have produced CVEs when fuzzeddccp, sctp, rds, tipc — historically rich sources of LPE bugsThis isn't a novel idea — the CIS benchmarks have recommended blacklisting some of these for years, and grsecurity has long advocated module restriction. What makes a curated tool valuable is that doing this correctly is tedious. You need to know which modules are auto-loadable via crafted input, which are pulled in by udev, which are still actually used by modern systemd or container runtimes, and how to install blacklist entries that modprobe will actually honor (the difference between blacklist and install ... /bin/true matters).
For anyone hardening servers, container hosts, or even desktops in a hostile environment, this is exactly the kind of unglamorous defensive tooling that pays off when the next ksmbd or n_gsm CVE drops. The project is small enough to audit in an afternoon, which is itself a virtue in security tooling.
Worth comparing against kernel-hardening-checker, Lockdown LSM, and the kconfig hardening profiles from KSPP — they overlap but aren't substitutes.