- copy_fail_family/iamroot_modules.c: two new bridge functions
- copy_fail_family_mitigate: calls existing mitigate_apply() which
blacklists algif_aead + esp4 + esp6 + rxrpc, sets
kernel.apparmor_restrict_unprivileged_userns=1, drops caches.
- copy_fail_family_cleanup: heuristic-routed cleanup. If the
mitigation conf file (/etc/modprobe.d/dirtyfail-mitigations.conf)
exists → mitigate_revert(). Otherwise → try_revert_passwd_page_cache()
to evict /etc/passwd from page cache.
- All 5 copy_fail_family modules' .mitigate and .cleanup fields now
point at these shared family-wide handlers (the mitigation is
family-wide, not per-CVE).
- dirty_pipe and entrybleed: no --mitigate offered (no canonical
patches / only-fix-is-upgrade). Documented in ROADMAP.
Verified end-to-end on kctf-mgr as non-root user:
iamroot --mitigate copy_fail → 'mitigate requires root' (correct)
iamroot --cleanup copy_fail → 'no mitigation conf; evicting page cache'
CVES.md gains a per-module ops table; ROADMAP.md marks Phase 6 partial.
leviathan
28ad566964