Releases: cozystack/copy-fail-blocker
v0.3.0 - Block AF_RXRPC (Dirty Frag mitigation)
Adds host-wide, no-reboot mitigation for the RxRPC variant of Dirty Frag on top of the existing CVE-2026-31431 ("Copy Fail") coverage.
The BPF-LSM socket_create hook now denies both AF_ALG and AF_RXRPC, but only when called from userspace — kernel-internal users (e.g. AFS, in-kernel crypto) keep working.
Install
kubectl apply -f https://raw.githubusercontent.com/cozystack/copy-fail-blocker/v0.3.0/manifests/copy-fail-blocker.yamlChanges
- Block
AF_RXRPC(33) socket creation to neutralize the RxRPC half of Dirty Frag (page-cache write viarxkad_verify_packet_1()). - Limit denial to userspace callers via
kern == 0— kernel-internal callers (AFS, IPsec self-tests, etc.) are allowed. - Helm chart and container image bumped to
v0.3.0, image pinned by digest. - README updated with Dirty Frag context, expanded mitigation table, updated verify snippet, expanded Limitations.
Scope
- Closes the RxRPC variant of Dirty Frag and the existing Copy Fail (
AF_ALG) path. - Does not close the xfrm-ESP variant of Dirty Frag — tracking separately.
- Clusters running OpenAFS / kAFS userspace clients should not deploy on those nodes.
v0.2.1 - Pre-rendered manifest
Adds a pre-rendered manifest under `manifests/` so users can install with a single `kubectl apply -f ` instead of cloning the repo.
Install
```sh
kubectl apply -f https://raw.githubusercontent.com/cozystack/copy-fail-blocker/v0.2.1/manifests/copy-fail-blocker.yaml
```
Changes
- Add `manifests/copy-fail-blocker.yaml` regenerated by `make manifest` (and automatically by `make image`)
- Pin `metadata.namespace: kube-system` in the DaemonSet so `kubectl apply -f` targets the right namespace without `-n`
- Helm chart bumped to 0.2.1; container image unchanged from v0.2.0
v0.2.0 - Multi-arch (amd64, arm64)
Multi-arch support.
Changes
- linux/arm64 build alongside linux/amd64; container image is now a multi-arch manifest list
- Helm chart bumped to 0.2.0
Container image
`ghcr.io/cozystack/copy-fail-blocker:v0.2.0@sha256:64706bb9fff42ffaedab855163bd9edd0bc566798503ad92b4eb1e52f78cabdf`
| Platform | Manifest digest |
|---|---|
| linux/amd64 | sha256:1dffaef6eb67a628760e952b316866e838ee273fa415edeaf53971743802ae0b |
| linux/arm64 | sha256:97daa3ae4a09993ed5dbbd71ebda9f917294a47a8ce83207c561d29d4345e8b0 |
Install
```sh
git clone --branch v0.2.0 https://github.com/cozystack/copy-fail-blocker
cd copy-fail-blocker
helm upgrade --install copy-fail-blocker charts/copy-fail-blocker
--namespace kube-system
```
Tested on
- Talos Linux v1.12, linux/amd64 (3-node cluster, rolling-upgrade from v0.1.0 verified)
Upgrade from v0.1.0
```sh
git fetch && git checkout v0.2.0
make apply
```
The DaemonSet does a rolling restart; the protection has a brief gap on each node while pods recreate.
v0.1.0 - Initial release
Initial release of copy-fail-blocker.
A BPF-LSM DaemonSet that mitigates CVE-2026-31431 ("Copy Fail") and any future vulnerability that depends on userspace access to the Linux kernel crypto API. The hook denies AF_ALG socket creation cluster-wide without requiring a kernel rebuild or a node reboot.
Container image
`ghcr.io/cozystack/copy-fail-blocker:v0.1.0@sha256:abca200e40adaf9f7585146dcecb59bcf4e030d349adababef14418188dca53e`
linux/amd64 only.
Install
```sh
git clone --branch v0.1.0 https://github.com/cozystack/copy-fail-blocker
cd copy-fail-blocker
helm upgrade --install copy-fail-blocker charts/copy-fail-blocker
--namespace kube-system
```
See README for full details.
Tested on
- Talos Linux v1.12 (3-node cluster)
- Linux 6.18
Known limitations
- linux/amd64 only — arm64 build needs cross-compile fix in clang include paths (planned for v0.2.0)
- Hook detaches when pod restarts (seconds-long gap)
- Doesn't block algif_skcipher / algif_hash, only the AF_ALG family entry point