Jasper Nuyens, founder of the organization Linux Belgium, who created an add-on for use Linux in the Tesla car information system, proposed a simple way to reduce the attack surface of the kernel Linux To reduce the likelihood of compromise amid the surge in AI-powered detection of dangerous vulnerabilities, Jasper proposed blocking modules that are unused or rarely used by the majority of users by default, as many vulnerabilities are typically found in specific kernel modules that are available for autoload but not typically used by most users.
The kernel contains several thousand modules, but most systems use only a few hundred, leaving the rest available for loading and potentially vulnerable. This idea is implemented through the ModuleJail script, which determines the list of modules currently in use by the system (via /proc/modules) and automatically blacklists unused modules. The script is written in the shell, uses common system utilities (busybox is sufficient), and is distributed under the GPLv3 license.
The script supports execution in Debian, Ubuntu, RHEL, Fedora, SUSE, AlmaLinux, Rocky Linux, Alpine and Arch Linux, and as a result of its operation, it generates the file /etc/modprobe.d/modulejail-blacklist.conf, which is used by the system to disable the automatic loading of kernel modules. This approach allows you to proactively protect your system without loading specialized kernel modules or running additional background processes to monitor the system.
If necessary, the user can whitelist modules that are not currently loaded but could potentially be used. Profiles are also available that allow the use of the most essential modules for typical system applications. The following profiles are available: "minimal" (only the most important modules and core file systems), "conservative" (plus standard drivers for servers and virtual machines), and "desktop" (plus drivers for WiFi, Bluetooth, audio, and video).
Source: opennet.ru
