Added dirtyfrag module#143
Merged
Merged
Conversation
nickanderson
force-pushed
the
security/dirtyfrag
branch
2 times, most recently
from
4565be0 to
4bde0b0
Compare
Detects Dirty Frag kernel page-cache write vulnerabilities (xfrm-ESP and RxRPC) and optionally applies mitigation via modprobe.d module blacklisting.
nickanderson
force-pushed
the
security/dirtyfrag
branch
from
4bde0b0 to
98fde78
Compare
oldgiova
reviewed
May 14, 2026
oldgiova
left a comment
oldgiova
left a comment
There was a problem hiding this comment.
I've asked Claude Code to helping me review this and here's the finding (the ones that I understood and confirmed with human double-checks)
Member
Author
|
Thanks for the reviews, great stuff. I am working on an overhaul |
Member
Author
|
OK, fixups from reviews See what you think now |
Addresses Roberto and Craigs reviews and a cross-distro hardening pass
(centos7/rocky8/9, alma10, debian12/13, ubuntu24).
- ipcomp4 -> ipcomp
- namespace references in kernel_patch_check; widen class scope
- version_match patterns
- sourced kernel version from package metadata on Debian/Ubuntu
- Dropped /usr/bin/ paths and useshell pipelines where CFEngine primitives
suffice (string_split, sort -V -C, packagesmatching)
- Collapsed module-file presence checks into one findfiles per CVE
- Collapse kernel_patch_check into bundle main; drop _kver alias
- Use packagesmatching() instead of a dpkg-query subprocess
- New status: MITIGATED (userns disabled) when user.max_user_namespaces=0
- Composite classes (dirtyfrag_vulnerable, dirtyfrag_esp_mitigated,
dirtyfrag_rxrpc_mitigated) tagged meta=>{"report"} and namespace-
scoped, so cf-hub collects them for reports without cluttering the
default Inventory column set
- CMDB toggle variables default-disabled with explicit opt-in
nickanderson
force-pushed
the
security/dirtyfrag
branch
from
30e3f0a to
09c3577
Compare
craigcomstock
approved these changes
May 19, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.