|
| 1 | +# Mitigation for CVE-2026-31431 ("Copy Fail") |
| 2 | +# |
| 3 | +# Blocks the algif_aead kernel module — the user-space front door used by |
| 4 | +# Copy Fail's container-escape primitive — by writing a modprobe.d "install" |
| 5 | +# rule and unloading the module if it is currently in memory. |
| 6 | +# |
| 7 | +# Safe across the full PSF fleet (Ubuntu 12.04 .. 24.04). On kernels that |
| 8 | +# never had the buggy algif_aead optimization (pre-2017), the file is inert. |
| 9 | +# On kernels where it matters, it removes the attack surface until the host |
| 10 | +# is upgraded to a patched kernel containing mainline a664bf3d603d. |
| 11 | +# |
| 12 | +# Disabling algif_aead does NOT affect dm-crypt/LUKS, kTLS, IPsec/XFRM, |
| 13 | +# OpenSSL/GnuTLS/NSS, SSH, or kernel keyring crypto — those use the in-kernel |
| 14 | +# crypto API directly and do not traverse AF_ALG. |
| 15 | +# |
| 16 | +# Refs: |
| 17 | +# https://copy.fail/ |
| 18 | +# https://github.com/theori-io/copy-fail-CVE-2026-31431 |
| 19 | + |
| 20 | +/etc/modprobe.d/disable-algif.conf: |
| 21 | + file.managed: |
| 22 | + - contents: | |
| 23 | + # Managed by Salt: salt/base/harden/copy-fail.sls |
| 24 | + # Mitigation for CVE-2026-31431 (Copy Fail). |
| 25 | + # Remove this file once the host is on a kernel containing a664bf3d603d. |
| 26 | + install algif_aead /bin/false |
| 27 | + - user: root |
| 28 | + - group: root |
| 29 | + - mode: "0644" |
| 30 | + |
| 31 | +# Unload the module if it is currently loaded. Idempotent: the `unless` check |
| 32 | +# makes this a no-op when algif_aead is not in /proc/modules. |
| 33 | +copy-fail-unload-algif-aead: |
| 34 | + cmd.run: |
| 35 | + - name: rmmod algif_aead |
| 36 | + - unless: '! grep -q "^algif_aead " /proc/modules' |
| 37 | + - require: |
| 38 | + - file: /etc/modprobe.d/disable-algif.conf |
0 commit comments