Linux Kernel Module

Updated: 2020-12-29

Kernel Modules

A Linux kernel module is a piece of compiled binary code that is inserted directly into the Linux kernel, running at ring 0, the lowest and least protected ring of execution in the x86–64 processor.

  • can load/unload on the fly useing modprobe; often used for devices, file systems, system calls, etc.
  • kernel module suffix: .ko (Kernel Object).
  • location: /lib/modules
  • use lsmod to list installed modules, or check /proc/modules;

Linux differ from macOS and Windows: it includes drivers at the kernel level.


  • Install: $ insmod <module> (does not resolve dependencies) or $ modprobe <module> (more powerful than insmod)
  • Remove: $ rmmod <module>
  • List: $ lsmod
  • Rebuild module dependancy database using /lib/modules/$(uname -r)/modules.dep: $ depmod -a
  • Info: $ modinfo /path/to/module.ko
  • List all available modules: ls -R /lib/modules/$(uname -r)

Security Modules

Linux PAM

pam - Pluggable Authentication Modules for Linux


SELinux: an implementation of Mandatory Access Control (MAC)

As contrasted to the standard Unix model of Discretionary Access Control (DAC)

SELinux comes installed by default on Red Hat distributions

To check your SELinux mode, run sestatus and check the output. For example:

$ sestatus
SELinux status:                 disabled

$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing

Mode from config file:          error (Success)
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28


  • Multi-Level Security (MLS)
  • Multi-Category Security (MCS)

Permissive vs Enforcing Mode:

  • Permissive Mode: SELinux will log access control infringements but will not enforce them
  • Enforcing Mode: enforce!