[HowTo] Whitelist blocked modules for modulejail

Contributions Software
1

This thread belongs to [HowTo] modulejail

I wrote a small script that adds the desired modules to the modulejail whitelist. It only adds the modules mentioned in the provided journal excerpt.
It avoids duplicate entries and modifies the existing whitelist only by appending the new lines.

Since Java is the only language I know well enough, it is a Java program. However, it can be easily executed (provided Java 25 is installed).

The following text should be saved as “whitelist.java”. last updated 2026-06-11

/// @author andreas kielkopf
/// @throws IOException
/// @date 2026-06-11
/// @license GPL V3
static void main(String[] args_) throws IOException {
   System.err.println();
   final var whiteListedModules=new ArrayList<String>();
   final var whitelistPath=Path.of("/etc/modulejail/whitelist.conf");
   if (whitelistPath.toFile().isFile())
      for (final String s:Files.readAllLines(whitelistPath, StandardCharsets.UTF_8)) {
         System.err.println(s);
         if (s.startsWith("#") || s.isBlank())
            whiteListedModules.add(s); // Retain comments and blank lines, even if lines are duplicates
         if (!whiteListedModules.contains(s))
            whiteListedModules.add(s); // Retain existing modules, but filter out duplicates
      }
   else
      System.err.println(whitelistPath + " was not found");
   final var additionalModules=new ArrayList<String>();
   additionalModules.add("");
   var pattern=Pattern.compile("blocked: (\\w+)");
   long timeout=System.currentTimeMillis() + 5000;
   while (System.currentTimeMillis() < timeout)
      if (System.in.available() > 0 && IO.readln() instanceof final String sl) {
         timeout=System.currentTimeMillis() + 1000;
         if (sl.contains("modulejail")// modulejail only
                  && pattern.matcher(sl) instanceof Matcher m && m.find() // find
                  && m.group(1) instanceof String moduleName // extract
                  && !additionalModules.contains(moduleName) // Already added
                  && !whiteListedModules.contains(moduleName)// Already in the whitelist
                  && !whiteListedModules.contains("# " + moduleName) // blacklisted ;-)
         ) {
            additionalModules.add(moduleName);
            System.err.println(sl);
         }
      } else
         Thread.onSpinWait();
   for (final String string:additionalModules)
      IO.println(string); // Output newly found modules
}

It can then be executed as follows:

Usage:

List the existing whitelist for modulejail

java whitelist.java

Check which additional modules should be added to the whitelist
last updated 2026-06-12

journalctl -r -t modulejail | java whitelist.java

Append the identified modules to the end of the whitelist (this needs sudo)

journalctl -r -t modulejail | java whitelist.java | sudo tee -a /etc/modulejail/whitelist.conf

After you have updated the whitelist, you can edit it and comment out — using "# " in front of the line — any modules you definitely do not want included; such modules will not be suggested for the whitelist in the future.

After modifying the whitelist, you naturally need to run modulejail again.

sudo modulejail

If there are dependencies between modules, the easiest approach is to repeat the sequence — whitelist, modulejail, reboot — until no further modules are suggested.
:footprints:

3 Likes
[HowTo] modulejail
RE: [HowTo] modulejail
8

A small footnote from me about the last lines: i strongly recommend to inspect the list manually and consider if you really need something before merging instead of automatically merging.

Just merging everything that gets blocked to the whitelist completely defeats the purpose of modulejail. Imagine you have a malware and modulejail actually protected you blocking the pawned module. And then you add it to the whitelist…

As usual, common sense is the best security practice.

9

Alternative one-liners doing this sorting and filtering without java:

Listing blocked modules from current boot:

journalctl -b -t modulejail --no-pager | awk -F'blocked: ' '/blocked: / {print $2}' "$1" | awk '{print $1}'

Listing blocked modules from previous boot:

journalctl -b -1 -t modulejail --no-pager | awk -F'blocked: ' '/blocked: / {print $2}' "$1" | awk '{print $1}'

Listing blocked modules from last 24 hours (useful after reboot after a system update):

journalctl --since yesterday -t modulejail --no-pager | awk -F'blocked: ' '/blocked: / {print $2}' "$1" | awk '{print $1}'

The same, with removing duplicates (ready to copy paste in the whitelist):

journalctl --since yesterday -t modulejail --no-pager | awk -F'blocked: ' '/blocked: / {split($2, a, " "); if (!seen[a[1]]++) print a[1]}'

All the listing and filtering is best used in combination with the notifier from the Tutorial topic.