Analysis updated 2026-05-18
Harden a fleet of Linux servers against future kernel module vulnerabilities.
Shrink a single server's attack surface before a security audit.
Reduce the number of loaded kernel modules on a steady-state production host.
| jnuyens/modulejail | 5p00kyy/club-5060ti | celiobjunior/clean-android-tv | |
|---|---|---|---|
| Stars | 23 | 23 | 23 |
| Language | Shell | Shell | Shell |
| Setup difficulty | easy | hard | moderate |
| Complexity | 3/5 | 3/5 | 2/5 |
| Audience | ops devops | developer | general |
Figures from each repo's GitHub metadata at analysis time.
Best run on a steady-state host with all normal services and drivers already loaded, to avoid blacklisting something needed.
ModuleJail is a single shell script that reduces a Linux server's exposure to kernel security bugs by blocking every kernel module the system is not actually using right now. A typical Linux machine ships with thousands of kernel modules but only loads a few hundred of them, and each unused module that stays enabled is still a potential entry point if a security flaw is later found in it. The tool's idea is simple: if a module is not loaded when the script runs, add it to a blacklist file so the system will refuse to load it going forward. The project exists because AI assisted security research is expected to uncover a wave of long hidden bugs in Linux kernel modules over the coming months, arriving faster than sysadmins can patch every affected server. ModuleJail cannot fix any of those bugs, but it can immediately shrink the number of modules that could be affected on a given machine, buying operators time to schedule real patches instead of reacting to emergencies. It works by checking which modules are currently loaded and comparing that list against every module available for the running kernel. Anything not currently loaded, aside from a small built in set of essential modules and any modules a system administrator explicitly allows, gets written into a configuration file that blocks it from loading. There is no daemon, no ongoing monitoring, and no artificial intelligence inside the tool itself: it runs once and produces one file. It can be installed by piping a script from the project's GitHub page into a shell with administrator rights, though the README recommends downloading and reading the script first rather than running it blindly. Prebuilt packages are also available for Debian, Ubuntu, RHEL, Fedora, and Rocky Linux. Three built in profiles, minimal, conservative, and desktop, control how cautious the blacklist is, with desktop preserving modules for WiFi, Bluetooth, audio, and video hardware. This tool is meant for people who manage Linux servers and want a fast, low effort way to reduce their exposure to future kernel vulnerabilities without adding complex monitoring software.
A single shell script that shrinks a Linux server's kernel attack surface by blacklisting every kernel module that isn't currently in use.
Mainly Shell. The stack also includes Shell, Linux, modprobe.
Setup difficulty is rated easy, with roughly 5min to a first successful run.
Mainly ops devops.
This repo across BitVibe Labs
Verify against the repo before relying on details.