[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-81935":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":8,"htmlUrl":8,"language":9,"languages":8,"totalLinesOfCode":8,"stars":10,"forks":11,"watchers":12,"openIssues":12,"contributorsCount":13,"subscribersCount":13,"size":13,"stars1d":14,"stars7d":12,"stars30d":12,"stars90d":13,"forks30d":13,"starsTrendScore":15,"compositeScore":16,"rankGlobal":8,"rankLanguage":8,"license":17,"archived":18,"fork":18,"defaultBranch":19,"hasWiki":18,"hasPages":18,"topics":20,"createdAt":8,"pushedAt":8,"updatedAt":21,"readmeContent":22,"aiSummary":23,"trendingCount":13,"starSnapshotCount":13,"syncStatus":12,"lastSyncTime":24,"discoverSource":25},81935,"block-copyfail","openshift\u002Fblock-copyfail","openshift",null,"C",26,7,2,0,1,3,42.91,"Apache License 2.0",false,"main",[],"2026-06-12 04:01:36","## Summary\n\nThis repo provides **zero-reboot BPF LSM mitigations** for Linux kernel\nvulnerabilities:\n\n**CVE-2026-31431** — CopyFail.  Privilege escalation via `algif_aead`.  An\nattacker uses AF\\_ALG sockets with the `authencesn` algorithm and `splice()` to\ncorrupt arbitrary files in the page cache (e.g. `\u002Fusr\u002Fbin\u002Fsu`).\n\n**CVE-2026-43284** — Dirty Frag (IPsec ESP).  Privilege escalation via\nxfrm-ESP page-cache write paths.  Two attack vectors are blocked:\n- **UDP MSG\\_SPLICE\\_PAGES** globally (splice-to-UDP primitive, kernel 6.4+)\n- **UDP\\_ENCAP** from non-init net namespaces (ESP-in-UDP from containers)\n\n**CVE-2026-43500** — Dirty Frag (rxrpc).  Does not affect Red Hat products;\ndisabled by default.  Blocks:\n- **AF\\_RXRPC** socket creation globally (rxrpc\u002Frxkad path)\n\n**CVE-2026-46300** — Fragnesia (ESP-in-TCP).  Privilege escalation via\nESP-in-TCP page-cache write path.  Blocks:\n- **TCP\\_ULP \"espintcp\"** globally (kTLS `\"tls\"` is unaffected)\n\nAll mitigations are deployed as a single DaemonSet. By default the three CVEs\naffecting Red Hat products are active (CVE-2026-43500 is excluded). Individual\nmitigations can be toggled via the `MITIGATIONS` environment variable on the\nDaemonSet.\n\n## Quick Start\n\n```bash\n# 1. Verify BPF LSM is enabled (All versions of RHEL CoreOS enable this by default)\noc debug node\u002F\u003Cany-node> -- chroot \u002Fhost cat \u002Fsys\u002Fkernel\u002Fsecurity\u002Flsm\n# Must contain \"bpf\"\n\n# 2. Deploy the namespace and grant privileged SCC\noc apply -f daemonset.yaml\n\n# 3. DaemonSet pods will start automatically on all nodes\n\n# 4. Verify\noc get pods -n openshift-cve-mitigations     # All nodes should show Running\noc logs -n openshift-cve-mitigations -l app=kernel-ebpf-lsm-loader\n# Expected: \"mitigation-loader: active mitigations: CVE-2026-31431 CVE-2026-43284 CVE-2026-46300\"\n```\n\nNo reboots. No node drains. No pod restarts. Protection is immediate and\ncovers all processes on all nodes (100% coverage).\n\n### Selecting Mitigations\n\nBy default the three CVEs affecting Red Hat products are enabled\n(`MITIGATIONS=all`). To enable only specific mitigations, set the `MITIGATIONS`\nenvironment variable to a comma-separated list of CVE numbers:\n\n| Value              | What it enables                                           |\n|--------------------|-----------------------------------------------------------|\n| `all`              | CVE-2026-31431 + CVE-2026-43284 + CVE-2026-46300 (default) |\n| `all-cves`         | All four CVEs including CVE-2026-43500                    |\n| `CVE-2026-31431`   | CopyFail — AF\\_ALG AEAD binds                            |\n| `CVE-2026-43284`   | Dirty Frag (IPsec ESP) — UDP splice + UDP\\_ENCAP         |\n| `CVE-2026-43500`   | Dirty Frag (rxrpc) — AF\\_RXRPC (not in `all`)            |\n| `CVE-2026-46300`   | Fragnesia — TCP\\_ULP \"espintcp\"                          |\n\nExample — enable only CopyFail and Fragnesia:\n\n```yaml\nenv:\n- name: MITIGATIONS\n  value: \"CVE-2026-31431,CVE-2026-46300\"\n```\n\n## Table of Contents\n\n1. [How the Exploits Work](#how-the-exploits-work)\n2. [Confirming Vulnerability on Your Cluster](#confirming-vulnerability-on-your-cluster)\n3. [BPF LSM DaemonSet Deployment](#bpf-lsm-daemonset-deployment)\n4. [Post-Deployment Verification](#post-deployment-verification)\n5. [Building the Image from Source](#building-the-image-from-source)\n6. [Removal](#removal)\n\n---\n\n## How the Exploits Work\n\n### CVE-2026-31431 — CopyFail\n\nThe exploit chains three kernel features:\n\n1. **AF\\_ALG socket** — creates a userspace handle to kernel crypto via\n   `socket(AF_ALG, SOCK_SEQPACKET, 0)`\n2. **AEAD bind** — binds to `authencesn(hmac(sha256),cbc(aes))`, a specific\n   authenticated encryption algorithm\n3. **splice() + sendmsg()** — the kernel incorrectly performs an \"in-place\"\n   operation where source and destination page mappings differ, corrupting the\n   page cache of a read-only file\n\nThe attacker corrupts `\u002Fusr\u002Fbin\u002Fsu` in the page cache (without write access to\nthe file), then executes it to gain root.\n\n### CVE-2026-43284 — Dirty Frag (IPsec ESP)\n\nPage-cache corruption through the kernel's IPsec\u002FESP network subsystem:\n\n1. **UDP splice primitive** — MSG\\_SPLICE\\_PAGES on UDP sockets lets the ESP\n   decryption engine overwrite page-cache pages in place (kernel 6.4+)\n2. **ESP-in-UDP from containers** — `setsockopt(UDP_ENCAP)` configures UDP\n   encapsulation for IPsec.  Blocked from non-init net namespaces (containers)\n   while preserving host-level IPsec\u002FVPN.\n\n### CVE-2026-43500 — Dirty Frag (rxrpc)\n\nDoes not affect Red Hat products.  Disabled by default.\n\n1. **rxrpc\u002Frxkad path** — AF\\_RXRPC sockets allow the rxkad security class to\n   write into page-cache pages via the Rx protocol's large-packet reassembly\n\n### CVE-2026-46300 — Fragnesia (ESP-in-TCP)\n\nPage-cache corruption through ESP-in-TCP:\n\n1. **ESP-in-TCP** — `setsockopt(TCP_ULP, \"espintcp\")` sets up ESP decryption\n   on a TCP socket, enabling the same page-cache corruption.  Blocked globally;\n   kTLS (`\"tls\"`) is unaffected.\n\n---\n\n## Confirming Vulnerability on Your Cluster\n\nCreate a new `cve-2026-31431-test` namespace on your cluster and run the test script by appling the manifests in [the `test` directory](test):\n\n```bash\noc apply -f test\n```\n\nCheck the results:\n\n```bash\noc wait pod\u002Fcve-test -n cve-2026-31431-test \\\n  --for=jsonpath='{.status.phase}'=Succeeded --timeout=120s\noc -n cve-2026-31431-test logs -l app=cve-2026-31431-test\n```\n\n**On a vulnerable cluster** you will see:\n\n```\n=== CVE-2026-31431 Vulnerability Test ===\nTarget: \u002Fusr\u002Fbin\u002Fsu\n\nOriginal SHA256: 8969560ae8e6e21c6184c1451f59418822ee69dd5d946d71987b55236bbc0feb\nAttempting splice + AF_ALG page-cache corruption (160 bytes in 40 chunks)...\nAfter SHA256:    30b0f5b5a054c4df65b48ca792863bf7054b4d793f15f57163792ba6c2b151ae\n\nPAGE CACHE CORRUPTION: YES - \u002Fusr\u002Fbin\u002Fsu was modified in the page cache\n\nAttempting to execute corrupted \u002Fusr\u002Fbin\u002Fsu ...\n  exit code: 0\n\nRESULT: PARTIALLY MITIGATED\n  Page-cache corruption succeeded (kernel is vulnerable)\n  Privilege escalation blocked (allowPrivilegeEscalation=false)\n```\n\n### Step 4: Clean up\n\n```bash\noc delete namespace cve-2026-31431-test\n```\n\n---\n\n## BPF LSM DaemonSet Deployment\n\nThe BPF LSM approach hooks `socket_bind`, `socket_create`, `socket_sendmsg`,\nand `socket_setsockopt` at the kernel level to block the attack primitives used\nby CVE-2026-31431, CVE-2026-43284, CVE-2026-43500 (disabled by default),\nand CVE-2026-46300. Based on\n[block-copyfail](https:\u002F\u002Fgithub.com\u002Fatgreen\u002Fblock-copyfail) and\n[block-dirtyfrag](https:\u002F\u002Fgithub.com\u002Fmrunalp\u002Fblock-dirtyfrag), rewritten in C\nwith libbpf for OCP deployment.\n\n### Prerequisites\n\nBPF LSM must be enabled. RHEL CoreOS 9.8 (OCP 4.22) has it enabled by default.\nVerify with:\n\n```bash\noc debug node\u002F\u003Cany-node> -- chroot \u002Fhost cat \u002Fsys\u002Fkernel\u002Fsecurity\u002Flsm\n```\n\nExpected output includes `bpf`:\n\n```\nlockdown,capability,landlock,yama,selinux,bpf\n```\n\nIf `bpf` is **not** present, a one-time MachineConfig is needed (this is the\nonly scenario requiring a reboot):\n\n```yaml\napiVersion: machineconfiguration.openshift.io\u002Fv1\nkind: MachineConfig\nmetadata:\n  labels:\n    machineconfiguration.openshift.io\u002Frole: worker\n  name: 99-enable-bpf-lsm\nspec:\n  kernelArguments:\n    - lsm=lockdown,capability,selinux,bpf\n```\n\n### Step 1: Create the namespace, grant the SCC, and deploy\n\nCreate a new `openshift-cve-mitigations` namespace, grant SCC, and deploy the DaemonSet by applying [the `daemonset.yaml` manifest](daemonset.yaml).\nThe privileged SCC must be granted before the DaemonSet pods are created,\notherwise pod creation will fail with SCC validation errors.\n\n```bash\noc apply -f daemonset.yaml\n```\n\n### Step 2: Wait for pods to start on all nodes\n\n```bash\noc get pods -n openshift-cve-mitigations -o wide\n```\n\nExpected: one pod per node, all `Running`:\n\n```\nNAME                   READY   STATUS    AGE   NODE\nkernel-ebpf-lsm-loader-2jhzf   1\u002F1     Running   34s   ci-...-master-2\nkernel-ebpf-lsm-loader-4dfq7   1\u002F1     Running   34s   ci-...-master-1\nkernel-ebpf-lsm-loader-c2ts8   1\u002F1     Running   34s   ci-...-worker-c\nkernel-ebpf-lsm-loader-ctblk   1\u002F1     Running   34s   ci-...-worker-a\nkernel-ebpf-lsm-loader-m26sx   1\u002F1     Running   34s   ci-...-worker-b\nkernel-ebpf-lsm-loader-xsh6d   1\u002F1     Running   34s   ci-...-master-0\n```\n\n### Step 3: Verify the blocker is active\n\n```bash\noc logs -n openshift-cve-mitigations -l app=kernel-ebpf-lsm-loader\n```\n\nExpected:\n\n```\nmitigation-loader: init net namespace inum=4026531840\nmitigation-loader: active mitigations: CVE-2026-31431 CVE-2026-43284 CVE-2026-46300\n```\n\n---\n\n## Post-Deployment Verification\n\nRe-run the same exploit test from the [Confirming Vulnerability](#confirming-vulnerability-on-your-cluster) section.\n\n**After deploying the BPF LSM DaemonSet**, the output will be:\n\n```\n=== CVE-2026-31431 Vulnerability Test ===\nTarget: \u002Fusr\u002Fbin\u002Fsu\n\nOriginal SHA256: 30b0f5b5a054c4df65b48ca792863bf7054b4d793f15f57163792ba6c2b151ae\nAttempting splice + AF_ALG page-cache corruption (160 bytes in 40 chunks)...\n  AF_ALG bind failed: [Errno 1] Operation not permitted\n\nRESULT: CANNOT TEST - AF_ALG or splice not available\u002Fpermitted\n```\n\nThe DaemonSet logs will show the blocked attempt:\n\n```bash\noc logs -n openshift-cve-mitigations -l app=kernel-ebpf-lsm-loader\n```\n\n```\nmitigation-loader: init net namespace inum=4026531840\nmitigation-loader: active mitigations: CVE-2026-31431 CVE-2026-43284 CVE-2026-46300\nmitigation-loader: BLOCKED CVE-2026-31431 AF_ALG AEAD bind pid=16777    comm=python3 time=2026-05-01 16:37:23\n```\n\n### Verifying Other Algorithms Are Unaffected\n\nRun `verify-algos.py` on a node to confirm that all AEAD algorithms are blocked\nwhile other AF\\_ALG types (hash, skcipher) continue to work:\n\n```bash\noc debug node\u002F\u003Cany-node> -- chroot \u002Fhost python3 -c \"\nimport socket\ntests = [\n    ('aead',     'gcm(aes)'),\n    ('aead',     'ccm(aes)'),\n    ('aead',     'rfc4106(gcm(aes))'),\n    ('hash',     'sha256'),\n    ('skcipher', 'cbc(aes)'),\n    ('aead',     'authencesn(hmac(sha256),cbc(aes))'),\n]\nfor t, n in tests:\n    s = socket.socket(socket.AF_ALG, socket.SOCK_SEQPACKET, 0)\n    try:\n        s.bind((t, n))\n        print(f'  ALLOWED  {t}\u002F{n}')\n    except OSError as e:\n        print(f'  BLOCKED  {t}\u002F{n} -- {e}')\n    finally:\n        s.close()\n\"\n```\n\nExpected output:\n\n```\n  BLOCKED  aead\u002Fgcm(aes) -- [Errno 1] Operation not permitted\n  BLOCKED  aead\u002Fccm(aes) -- [Errno 1] Operation not permitted\n  BLOCKED  aead\u002Frfc4106(gcm(aes)) -- [Errno 1] Operation not permitted\n  ALLOWED  hash\u002Fsha256\n  ALLOWED  skcipher\u002Fcbc(aes)\n  BLOCKED  aead\u002Fauthencesn(hmac(sha256),cbc(aes)) -- [Errno 1] Operation not permitted\n```\n\nThis confirms the BPF LSM blocks all AEAD binds while leaving other AF_ALG types functional.\n\n---\n\n## Building the Image from Source\n\n```\nmitigations.bpf.c        # BPF kernel programs (CVE-2026-31431 + CVE-2026-43284 + CVE-2026-43500 + CVE-2026-46300)\nmitigations.c             # Userspace loader with MITIGATIONS env var parsing (accepts CVE numbers)\nmitigations.h             # Shared event struct and block reason constants\nMakefile                  # Build pipeline\nDockerfile                # Multi-stage build\ndaemonset.yaml            # Namespace + DaemonSet manifest\ntrigger-test.py           # Quick CopyFail validation script\n```\n\nBuild and push:\n\n```bash\npodman build -t quay.io\u002F\u003Corg>\u002Fmitigation-loader:latest .\npodman push quay.io\u002F\u003Corg>\u002Fmitigation-loader:latest\n```\n\nThe Dockerfile uses a multi-stage build: Fedora with clang\u002Fbpftool\u002Flibbpf-devel\nfor compilation, UBI 9 minimal for the runtime image (~122 MB).\n\n---\n\n## Removal\n\nDeleting the DaemonSet immediately removes the mitigation on all nodes:\n\n```bash\noc delete -f daemonset.yaml\n# or\noc delete namespace openshift-cve-mitigations\n```\n\nThe BPF program detaches automatically when the loader process exits. No reboot\nor pod restart is needed.\n","openshift\u002Fblock-copyfail 项目提供了一种无需重启的 BPF LSM 缓解方案，用于修复 Linux 内核中的多个安全漏洞。该项目的核心功能是通过 eBPF 技术来阻止特定 CVE 漏洞（如 CVE-2026-31431、CVE-2026-43284 和 CVE-2026-46300）的利用路径，从而防止权限提升攻击。这些缓解措施以 DaemonSet 的形式部署在 Kubernetes 集群中，确保所有节点上的进程都能立即受到保护。适合于需要快速响应并减轻已知内核漏洞影响的企业级容器化环境，特别是使用 Red Hat 产品的用户。通过设置环境变量可以灵活选择启用的具体缓解措施。","2026-06-11 04:07:16","CREATED_QUERY"]