Vulnerability Response
Vulnerability Response
Tracking and mitigating known kernel vulnerabilities across the fleet.
Architecture
Kernel module blocking lives in modules/security.nix under the permanent
hardening.kernel block (enabled by default on all hosts). Two layers:
| Layer | Mechanism | Scope |
|---|---|---|
boot.blacklistedKernelModules | Kernel cmdline modprobe.blacklist= | Prevents auto-load on hardware probe |
boot.extraModprobeConfig | install <mod> /bin/false | Blocks ALL loads including explicit modprobe |
Both are needed: blacklistedKernelModules is advisory (some kernel paths
bypass it), while install ... /bin/false makes modprobe itself refuse.
Blocked Modules
| Module | Reason |
|---|---|
dccp, sctp, rds, tipc | Rare/unused transport protocols |
algif_aead, algif_skcipher | AF_ALG AEAD — kernel crypto surface |
xfrm_algo, xfrm_user, xfrm4_tunnel, xfrm6_tunnel | IPsec XFRM framework |
esp4, esp6, esp4_offload, esp6_offload | ESP packet transformation |
rxrpc | AF_RXRPC — rarely used |
Adding a Temporary CVE Mitigation
When a new vulnerability appears that needs fleet-wide mitigation before upstream patches land:
-
Add modules to the blacklist and extraModprobeConfig in
modules/security.nixunder thehardening.kernelblock. -
Gate with a new option if the mitigation is destructive or should be toggleable per-host:
options.modules.security.hardening = { # ... existing options ... blockNewVuln = mkBoolOpt true; }; -
Document the CVE/exploit here with references.
-
Deploy to all affected hosts.
-
Remove when patched — once all hosts run a fixed kernel, delete the module entries and any temporary option.
Historical Mitigations
Dirty Frag (xfrm-ESP + RxRPC Page-Cache Write LPE) — mitigated 2026-04
| Field | Detail |
|---|---|
| Class | Local privilege escalation via page-cache write |
| Vectors | xfrm-ESP (since Linux 4.10), RxRPC (since Linux 6.4) |
| Impact | Unprivileged user → root |
| Affected kernels | 4.10 through current (xfrm-ESP), 6.4+ (RxRPC) |
| Fix commit | f4c50a4034e6 (“xfrm: fix page-cache write in xfrm-esp”) |
| Researcher | Hyunwoo Kim (@v4bel) |
| References | https://github.com/V4bel/dirtyfrag, https://lore.kernel.org/all/afKV2zGR6rrelPC7@v4bel |
Originally tracked under modules.security.vulnerabilities.dirtyFrag (removed
2026-05). Now part of the permanent hardening block as general AEAD/ESP/XFRM
attack surface reduction.
Verification
# Blacklist took effect (check kernel cmdline):
cat /proc/cmdline | tr ' ' '\n' | grep modprobe
# Modules not loaded:
lsmod | grep -E 'algif|xfrm|esp|rxrpc'
# modprobe blocked (should return non-zero):
modprobe esp4; echo $? # → 1hey check Integration
boot.blacklistedKernelModules generates modprobe.blacklist=... on the
kernel command line. hey check flake validates the config but not runtime
state — verify on the target host after deploy.