leviathan/SKELETONKEY
1
0
Fork 0
Code Issues Pull Requests Actions 21 Packages Projects Releases Wiki Activity
Files
39ce4dff09089bf7869f1d72a7f4f759cca75dc4
SKELETONKEY/modules/copy_fail_family/src/mitigate.h
T
leviathan 52e8c99022 Phase 1: module interface + registry + top-level dispatcher 
- core/module.h: struct iamroot_module + iamroot_result_t
- core/registry.{h,c}: flat-array module registry with find-by-name
- modules/copy_fail_family/iamroot_modules.{h,c}: bridge layer
  exposing 5 modules (copy_fail, copy_fail_gcm, dirty_frag_esp,
  dirty_frag_esp6, dirty_frag_rxrpc) wired to the absorbed DIRTYFAIL
  detect/exploit functions; df_result_t/iamroot_result_t share numeric
  values intentionally for zero-cost translation
- iamroot.c: top-level CLI dispatcher with --scan / --list / --exploit /
  --mitigate / --cleanup, JSON output, --i-know gate
- Restored modules/copy_fail_family/src/ structure (DIRTYFAIL Makefile
  expects it; the initial flat copy broke that contract)
- Top-level Makefile builds one binary; filters out DIRTYFAIL's
  original dirtyfail.c main so it doesn't conflict with iamroot.c

Verified end-to-end on kctf-mgr (Linux): clean compile, 5 modules
register, --scan --json output ingest-ready, exit codes propagate.
2026-05-16 19:32:11 -04:00

47 lines
1.4 KiB
C
Raw Blame History

/*
* DIRTYFAIL — mitigate.h
*
* Defensive companion to the exploit modes: applies all known
* mitigations for Copy Fail / Dirty Frag in one shot. Intended for
* sysadmins who want a fast "fix this until the kernel patch lands"
* deployment.
*
* What `--mitigate` does:
*
* 1. Writes /etc/modprobe.d/dirtyfail-mitigations.conf with
* `install <mod> /bin/false` blacklists for:
* - algif_aead (Copy Fail authencesn primitive)
* - esp4 + esp6 (Dirty Frag xfrm-ESP path)
* - rxrpc (Dirty Frag RxRPC path)
*
* 2. rmmods any of those that are currently loaded.
*
* 3. Sets `kernel.apparmor_restrict_unprivileged_userns=1` (where
* AppArmor is loaded). Persists via /etc/sysctl.d/.
*
* 4. Drops the page cache to evict any pre-existing page-cache
* modifications.
*
* 5. Reports what it did so the operator can audit / undo.
*
* Caveats:
* - Requires root.
* - Disabling esp4/esp6 breaks IPsec / strongSwan.
* - Disabling rxrpc breaks AFS clients.
* - These are interim mitigations; the right fix is the kernel patch.
*
* Run with `--cleanup-mitigate` to undo (removes the blacklist conf,
* removes the sysctl conf, but does not unload modules — operator
* decides if/when to reload).
*/
#ifndef DIRTYFAIL_MITIGATE_H
#define DIRTYFAIL_MITIGATE_H
#include "common.h"
df_result_t mitigate_apply(void);
df_result_t mitigate_revert(void);
#endif
Reference in New Issue View Git Blame Copy Permalink