47 lines
1.4 KiB
C
47 lines
1.4 KiB
C
/*
|
|
* DIRTYFAIL — mitigate.h
|
|
*
|
|
* Defensive companion to the exploit modes: applies all known
|
|
* mitigations for Copy Fail / Dirty Frag in one shot. Intended for
|
|
* sysadmins who want a fast "fix this until the kernel patch lands"
|
|
* deployment.
|
|
*
|
|
* What `--mitigate` does:
|
|
*
|
|
* 1. Writes /etc/modprobe.d/dirtyfail-mitigations.conf with
|
|
* `install <mod> /bin/false` blacklists for:
|
|
* - algif_aead (Copy Fail authencesn primitive)
|
|
* - esp4 + esp6 (Dirty Frag xfrm-ESP path)
|
|
* - rxrpc (Dirty Frag RxRPC path)
|
|
*
|
|
* 2. rmmods any of those that are currently loaded.
|
|
*
|
|
* 3. Sets `kernel.apparmor_restrict_unprivileged_userns=1` (where
|
|
* AppArmor is loaded). Persists via /etc/sysctl.d/.
|
|
*
|
|
* 4. Drops the page cache to evict any pre-existing page-cache
|
|
* modifications.
|
|
*
|
|
* 5. Reports what it did so the operator can audit / undo.
|
|
*
|
|
* Caveats:
|
|
* - Requires root.
|
|
* - Disabling esp4/esp6 breaks IPsec / strongSwan.
|
|
* - Disabling rxrpc breaks AFS clients.
|
|
* - These are interim mitigations; the right fix is the kernel patch.
|
|
*
|
|
* Run with `--cleanup-mitigate` to undo (removes the blacklist conf,
|
|
* removes the sysctl conf, but does not unload modules — operator
|
|
* decides if/when to reload).
|
|
*/
|
|
|
|
#ifndef DIRTYFAIL_MITIGATE_H
|
|
#define DIRTYFAIL_MITIGATE_H
|
|
|
|
#include "common.h"
|
|
|
|
df_result_t mitigate_apply(void);
|
|
df_result_t mitigate_revert(void);
|
|
|
|
#endif
|