modulejail
This is a Wiki-Post !
- Please do edit this post instead of suggesting changes !
- If you need support, please create your own thread, and link to this thread.
Modulejail is a script writing a blocklist, preventing unused kernel modules from automatic loading. Thus a malicious app cannot use a vulnerability in some little used module which significantly reduces the attack surface.
Installing modulejail:
You can install it from AUR - AUR (en) - modulejail . Note that there is also unofficial aur package, ending with -git
pamac build modulejail
Please follow the links for more information about modulejail
- Official github of the project
- More vulnerabilities [PinTheft] [DirtyDecrypt]
- Belgian sysadmin creates ModuleJail for automatically blacklisting unused modules
- Modulejail and VPN
- Questions about the notifications
Usage (as of v1.3.0)
sudo modulejail -p {none|minimal|conservative|desktop}
The profile you choose is important:
| Profile | Modules Kept Available |
|---|---|
none |
Only lsmod + --whitelist-file entries |
minimal |
Core filesystems + essential kernel modules only |
conservative |
Minimal â + common server/VM drivers (default) |
desktop |
Conservative â + WiFi, Bluetooth, audio, video drivers |
For desktop users sudo modulejail -p desktop is recommended.
Adding --dry-run to the command simulates the full pipeline but writes nothing under /etc/modprobe.d/. For example:
sudo modulejail -p desktop --dry-run
All modulejail options can be viewed by running the following command:
modulejail --help
Find out which modules are on the blacklist but are actually required
Modulejail may block some modules that you need. However you can see which modules attempted to load but were blocked.
journalctl --system --since=today | grep 'modulejail'
How do I get these modules off the blacklist?
You can edit the blacklist /etc/modprobe.d/modulejail-blacklist.conf and comment out the lines corresponding to the modules you no longer wish to blacklist by placing a "# " at the beginning of the line. However, this change will only persist until you have modulejail generate a new blacklist.
Alternatively, you can add specific modules to /etc/modulejail/whitelist.conf and then run modulejail again. This constitutes a more permanent solution.
sudo mkdir /etc/modulejail
sudo touch /etc/modulejail/whitelist.conf
Append everything blocked today to the whitelist
journalctl --system --since=today | grep 'modulejail.*blocked.*' |grep -Eo '[^: ]{2,}$' | sort | uniq | sudo tee -a /etc/modulejail/whitelist.conf
Note that the above oneliner is âquick and dirtyâ and only given as an example. Running it several times a day will create duplicates and more importantly adding just everything defeats the purpose of the tool. It is recommended to edit the whitelist manually (for example with sudo nano or sudo micro /etc/modulejail/whitelist.conf and only add what you need, like for example if a needed program doesnât start. In that case please leave feedback for our database (see below).
example whitelist.conf:
#
# whitelist of modules for modulejail
#
# one module per line
# comments starting with #
#
exfat
acpi_cpufreq
fjes
fmpm
kheaders
kvm_amd
intel_pmc_core_pltdrv
Then run modulejail to create the blacklist. Restart is not needed.
Realtime notification with popup when a module gets blocked
If you start a program and something does not work, but at the same time you see a notification a modue is blocked, you will know that program needs that module and it has to be whitelisted.
You can add the following to your startup scripts (do not forget to make executable):
#!/usr/bin/env bash
# Monitor the journal for modules, blocked with modulejail and show popup
# optional - initial sleep so that a bunch of blocked modules at boot are not showed
sleep 37
journalctl -f -t modulejail --since "1 sec ago" -o cat | while read -r LINE; do
notify-send "Modulejail" "$LINE" --icon=dialog-warning
done
To run at startup, you can create a systemd service for example.
Here is a sample systemd service:
make the service as ~/.local/share/systemd/user/modulejailpopup.service
[Unit]
Description=modulejailpopup
Wants=network-online.target graphical-session.target
After=network-online.target graphical-session.target
[Service]
Type=simple
ExecStart=/bin/bash -c "/home/$USER/.local/bin/modulejailpopup.sh"
modulejailpopup.sh is where you saved the notification script and made it executable.
After that:
systemctl --user start modulejailpopup.service
systemctl --user enable modulejailpopup.service
What is the following module necessary for?[1]
acpi_cpufreq
ACPI-based CPU frequency governor/driver (manages CPU clocks via ACPI Pâstates for power management).
Note: acpi_cpufreq has been added to the conservative and desktop profiles from v1.3.2 of modulejail. Ref: https://github.com/jnuyens/modulejail/releases/tag/v1.3.2
cdrom
ISO 9660 and optical-media support (also see isofs)
Note: cdrom & isofs have been included in the desktop profile of modulejail since v1.3.2. Ref: https://github.com/jnuyens/modulejail/releases/tag/v1.3.2
dummy
Network dummy driver: creates virtual, non-physical network interfaces (useful for testing or bridge setups).
exfat
Driver for the exFAT filesystem (read/write support for exFAT-formatted media like SD cards/USB sticks).
Note: exfat (Windows-formatted flash drives) is included in the desktop profile from v1.3.1 of modulejail. Ref: https://github.com/jnuyens/modulejail/releases/tag/v1.3.1
f2fs
Modern flash-friendly filesystem (partition tools, external drives)
Note: f2fs has been included in the desktop profile of modulejail since v1.3.2. Ref: https://github.com/jnuyens/modulejail/releases/tag/v1.3.2
fmpm
AMD FMPM (FRU Memory Poisoning / FRU memory poison manager): part of AMD/RAS telemetry and fault-management stack that handles FRU memory-poison records and related RAS features on supported AMD platforms (server-grade/ATL-equipped CPUs); safe to ignore on unsupported/mobile CPUs
hv_sock
Hyper-V socket transport: provides AF_HYPERV or âvsockâ-like socket interface for bidirectional communication between host and guests.
hv_vmbus
Hyper-V VMBus core driver: provides the communication channel between Hyper-V host and Linux guest (transport for Hyper-V synthetic devices).
inet_diag
Netlink module for monitoring INET transport protocols sockets. Netlink is used to transfer information between kernel and user-space processes. It consists of a standard sockets-based interface for user space processes and an internal kernel API for kernel modules.
More information: netlink(7) â Arch manual pages
Note: inet_diag, tcp_diag & udp_diag (inet socket diagnostics auto-loaded by ss and most system-monitor tools (KDE, GNOME, btop, glances)) have been added to the conservative and desktop profiles from v1.3.2 of modulejail. Ref: https://github.com/jnuyens/modulejail/releases/tag/v1.3.2
isofs
ISO 9660 and optical-media support (also see cdrom)
Note: cdrom & isofs have been included in the desktop profile of modulejail since v1.3.2. Ref: https://github.com/jnuyens/modulejail/releases/tag/v1.3.2
it87
This driver implements support for the IT8603E, IT8620E, IT8623E, IT8628E, IT8689E, IT8705F, IT8712F, IT8716F, IT8718F, IT8720F, IT8721F, IT8726F, IT8728F, IT8732F, IT8758E, IT8771E, IT8772E, IT8781F, IT8782F, IT8783E/F, IT8786E, IT8790E, IT8792E/IT8795E, IT87952E and SiS950 chips.
These chips are âSuper I/O chipsâ, supporting floppy disks, infrared ports, joysticks and other miscellaneous stuff. For hardware monitoring, they include an âenvironment controllerâ with 3 temperature sensors, 3 fan rotation speed sensors, 8 voltage sensors, associated alarms, and chassis intrusion detection.
More information: Kernel driver it87 â The Linux Kernel documentation
kheaders
Provides runtime kernel header/signature information needed by out-of-tree builds, BPF, or debugging tools (exposes kernel header data from the running kernel).
kvm_amd
KVM hypervisor support for AMD CPUs (AMD SVM virtualization support for guest VMs).
nbd
network block device, used in virtualization context (needed for mounting .qcow2 images for example)
nft_fib_ipv6
nftables expression/module for FIB (Forwarding Information Base) lookups for IPv6 (allows routing/next-hop decisions inside nftables rules).
ntfs3
Read/write NTFS driver (in-tree since Linux 5.15)
Note: ntfs3 has been included in the desktop profile of modulejail since v1.3.2. Ref: https://github.com/jnuyens/modulejail/releases/tag/v1.3.2
rfcomm
Bluetooth RFCOMM protocol driver (serial-port emulation over Bluetooth for serial communication).
snd_seq_device
ALSA sequencer device helper: registers/handles sequencer clients for MIDI/event routing between user-space and kernel sequencer drivers
tap
VPN clients (WireGuard, OpenVPN), VirtualBox / VMware, qemu / KVM bridge
Note: tap was added to the desktop profile of modulejail in v1.3.4. Ref: https://github.com/jnuyens/modulejail/releases/tag/v1.3.4
tcp_diag
Please refer to the entry for inet_diag
tls
kernel TLS (kTLS), increasingly load-on-demand for HTTPS-heavy daemons and modern package managers
Note: tls has been added to the conservative and desktop profiles from v1.3.2 of modulejail. Ref: https://github.com/jnuyens/modulejail/releases/tag/v1.3.2
tun
VPN clients (WireGuard, OpenVPN), VirtualBox / VMware, qemu / KVM bridge
Note: tun was added to the desktop profile of modulejail in v1.3.4. Ref: https://github.com/jnuyens/modulejail/releases/tag/v1.3.4
udp_diag
Please refer to the entry for inet_diag
amd
amd64_edac
AMD EDAC Linux driver for Error Detection And Correction of AMD x86_64 CPU/memory errors.
Note: amd64_edac has been included in the desktop profile of modulejail since v1.3.2. Ref: https://github.com/jnuyens/modulejail/releases/tag/v1.3.2
amd_pstate
CPU Performance Scaling Driver for AMD processors.
Note: amd_pstate was added to the desktop profile of modulejail in v1.3.4. Ref: https://github.com/jnuyens/modulejail/releases/tag/v1.3.4
intel
i7core_edac
Intel EDAC Linux driver for Error Detection And Correction of CPU/memory errors
Note: i7core_edac has been included in the desktop profile of modulejail since v1.3.2. Ref: https://github.com/jnuyens/modulejail/releases/tag/v1.3.2
ie31200_edac
Intel EDAC Linux driver for Error Detection And Correction of CPU/memory errors
Note: ie31200_edac has been included in the desktop profile of modulejail since v1.3.2. Ref: https://github.com/jnuyens/modulejail/releases/tag/v1.3.2
intel_cstate
Intel Câstate driver: manages CPU idle states (Câstates) for power management on Intel processors.
Note: intel_cstate was added to the desktop profile of modulejail in v1.3.4. Ref: https://github.com/jnuyens/modulejail/releases/tag/v1.3.4
intel_pstate
Intel Pâstate driver: CPU Performance Scaling Driver for Intel processors.
Note: intel_pstate was added to the desktop profile of modulejail in v1.3.4. Ref: https://github.com/jnuyens/modulejail/releases/tag/v1.3.4
intel_telemetry_debugfs
Exposes Intel telemetry/debug data via debugfs for diagnostic/telemetry consumers (used for collecting hardware/system telemetry).
intel_pmc_core_pltdrv
Intel Platform Controller (PMC) core platform driver: handles power-management controller core functions and platform-specific power features on Intel systems.
intel_tcc_cooling
Intel TCC (Thermal Control Circuit) cooling driver: exposes thermal/cooling controls tied to Intel TCC for thermal throttling/cooling integration.
intel_uncore
Intel uncore monitoring/support: handles non-core CPU subsystems (uncore) like memory controllers, ring interconnects, and provides performance/event monitoring interfaces.
vendor-specific:
fujitsu
fjes
FUJITSU Extended Socket (FJES) network device driver: supports Fujitsu Primequest/enterprise platform-specific extended-socket network devices; 
occasionally auto-loads on non-Fujitsu hardware due to generic modalias matches
toshiba
toshiba_wmi
Toshiba WMI hotkeys driver: handles WMI-based hotkey events and exposes input/ACPI interfaces for some Toshiba laptop functions (brightness/hotkeys); experimental and model-specific.
Known programs, requiring specific modules
Please add alphabetically. Users below TL3 that cannot edit the wiki, write a post with your experience and explanation in this open to all topic and some TL3+ will summarize and add it here.
CD/DVD mounting
isofs
cdrom
Filesystem detection and mounting / OS-Prober in update-grub
exfat
jfs
msdos
ntfs3
minix
hfs
hfsplus
ufs
Note that on UEFI systems in pure EFI mode OS-Prober does not really need to access anything else than the fat/vfat formatted ESP partition so you do not need to allow any of those modules for this purpose, your update or detecting other OS wonât be blocked in that case.
For the filesystem mounting:
You can probably skip whitelisting HFS± unless you are dual-booting an Apple computer, those are Apple filesystems. And minix is a very very old filesystem and you do not have it, unless you operate a computer with a hard drive bought about 40 years ago.
NordVPN (wireguard)
tun
wireguard
udp_tunnel
libcurve25519
ip6_udp_tunnel
Ventoy (or other large USB sticks)
exfat
Virtual machines (QEMU etc.)
tun
tap
vhost_iotlb
vhost
vhost_net
Footnotes
1: An AI assisted in gathering some of the descriptions for kernel modules.
Footnotes â©ïž