[F] Add modprobe config to mitigate dirtyfrag & copyfail#1
Conversation
There was a problem hiding this comment.
Pull request overview
Adds host-level kernel module load restrictions via modprobe config on ctvp to reduce exposure to the referenced DirtyFrag and CopyFail vulnerabilities.
Changes:
- Introduces
boot.extraModprobeConfigentries that prevent loadingesp4,esp6,rxrpc, andalgif_aead. - Documents the mitigations with links to the related advisories/repos.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
sauricat
left a comment
There was a problem hiding this comment.
Now that we don't have auto ci/cd, even it be merged to main branch you still have to manually update the server config via nixos-rebuild boot.
Have you tested on the server?
|
不对不对,为什么不用 |
Tested the patch on my NixOS server Also tested this config can be built I have updated my PR description. Ready to merge. |
使用blacklist后,https://github.com/V4bel/dirtyfrag 失效,但是我怀疑修改exp后可能可以通过其它方法加载内核模块,因为sudo modprobe还可以成功加载 |
|
你都 sudoer 了无所谓吧。
|
演示如下 atri@homura ~/flake (main)> cat nixosModules/common/security.nix
{ pkgs, ... }:
{
boot.extraModprobeConfig = ''
# Mitigate https://dirtyfrag.io
# https://github.com/V4bel/dirtyfrag
install esp4 ${pkgs.coreutils}/bin/false
install esp6 ${pkgs.coreutils}/bin/false
install rxrpc ${pkgs.coreutils}/bin/false
# Mitigate CVE-2026-31431 https://copy.fail
# https://github.com/theori-io/copy-fail-CVE-2026-31431
# install algif_aead ${pkgs.coreutils}/bin/false
'';
boot.blacklistedKernelModules = [ "algif_aead" ];
}
atri@homura ~/flake (main)> cat /etc/modprobe.d/nixos.conf
blacklist algif_aead
blacklist ip_tables
# Mitigate https://dirtyfrag.io
# https://github.com/V4bel/dirtyfrag
install esp4 /nix/store/jjxngswsb214vb58qx485jhmilf0kxxy-coreutils-9.10/bin/false
install esp6 /nix/store/jjxngswsb214vb58qx485jhmilf0kxxy-coreutils-9.10/bin/false
install rxrpc /nix/store/jjxngswsb214vb58qx485jhmilf0kxxy-coreutils-9.10/bin/false
# Mitigate CVE-2026-31431 https://copy.fail
# https://github.com/theori-io/copy-fail-CVE-2026-31431
# install algif_aead /nix/store/jjxngswsb214vb58qx485jhmilf0kxxy-coreutils-9.10/bin/false
atri@homura ~/flake (main)> sudo rmmod algif_aead
rmmod: ERROR: Module algif_aead is not currently loaded
atri@homura ~/flake (main) [1]> lsmod | grep algif_aead
atri@homura ~/flake (main) [0|1]> modprobe algif_aead
modprobe: ERROR: could not insert 'algif_aead': Operation not permitted
atri@homura ~/flake (main) [1]> sudo -u nobody python3 -c "
import socket
s = socket.socket(socket.AF_ALG, socket.SOCK_SEQPACKET, 0)
s.bind(('aead', 'gcm(aes)'))
"
atri@homura ~/flake (main)> lsmod | grep algif_aead
algif_aead 12288 0
af_alg 32768 1 algif_aead而使用当前的方法是可以阻止加载的 atri@homura ~/flake (main)> cat /etc/modprobe.d/nixos.conf
blacklist ip_tables
# Mitigate https://dirtyfrag.io
# https://github.com/V4bel/dirtyfrag
install esp4 /nix/store/jjxngswsb214vb58qx485jhmilf0kxxy-coreutils-9.10/bin/false
install esp6 /nix/store/jjxngswsb214vb58qx485jhmilf0kxxy-coreutils-9.10/bin/false
install rxrpc /nix/store/jjxngswsb214vb58qx485jhmilf0kxxy-coreutils-9.10/bin/false
# Mitigate CVE-2026-31431 https://copy.fail
# https://github.com/theori-io/copy-fail-CVE-2026-31431
install algif_aead /nix/store/jjxngswsb214vb58qx485jhmilf0kxxy-coreutils-9.10/bin/false
atri@homura ~/flake (main)> sudo rmmod algif_aead
atri@homura ~/flake (main)> sudo -u nobody python3 -c "
import socket
s = socket.socket(socket.AF_ALG, socket.SOCK_SEQPACKET, 0)
s.bind(('aead', 'gcm(aes)'))
"
Traceback (most recent call last):
File "<string>", line 4, in <module>
s.bind(('aead', 'gcm(aes)'))
~~~~~~^^^^^^^^^^^^^^^^^^^^^^
FileNotFoundError: [Errno 2] No such file or directory
atri@homura ~/flake (main) [1]> lsmod | grep algif_aead |
Mitigate CVE-2026-43284 CVE-2026-43500 https://dirtyfrag.io
https://github.com/V4bel/dirtyfrag
Mitigate CVE-2026-31431 https://copy.fail
https://github.com/theori-io/copy-fail-CVE-2026-31431
nixos-rebuild switch后,无需重启系统,运行以下命令来卸载可能已经加载内核模块:
检查模块是否正确无法加载
boot.blacklistedKernelModules是不够用的,因为它的效果是这样的模块仍然可以被加载