From 486cf7bc9feeccaba67c9a764e53236e3303bc2c Mon Sep 17 00:00:00 2001
From: Hadi Chokr <hadichokr@icloud.com>
Date: Thu, 7 May 2026 23:38:09 +0200
Subject: [PATCH] Hotfix: Mitigate dirtyfrag

Signed-off-by: Hadi Chokr <hadichokr@icloud.com>


(cherry picked from commit f0198f0dad855623748be9a2807d264a04e0e5da)

Co-authored-by: Hadi Chokr <hadichokr@icloud.com>
---
 .../lib/modprobe.d/99-kde-linux-security.conf | 21 ++++++++++++++++---
 mkosi.finalize.d/40-core.sh.chroot            | 11 ++++++++--
 2 files changed, 27 insertions(+), 5 deletions(-)

diff --git a/mkosi.extra/usr/lib/modprobe.d/99-kde-linux-security.conf b/mkosi.extra/usr/lib/modprobe.d/99-kde-linux-security.conf
index 821938e..30bf27d 100644
--- a/mkosi.extra/usr/lib/modprobe.d/99-kde-linux-security.conf
+++ b/mkosi.extra/usr/lib/modprobe.d/99-kde-linux-security.conf
@@ -1,13 +1,13 @@
 # SPDX-License-Identifier: GPL-2.0-only OR GPL-3.0-only OR LicenseRef-KDE-Accepted-GPL
 # SPDX-FileCopyrightText: none
 
-# af_alg et al are dangerous and unused by anything relevant except for iwd and
+# af_alg et al. are dangerous and unused by anything relevant except for iwd and
 # non-default cryptsetup algorithms, neither of which are supported on KDE Linux.
-# disable these things to reduce our attack surface.
-
+# Disable these things to reduce our attack surface.
 # See also:
 # - https://www.secwest.net/copyfail-mitigation
 # - https://news.ycombinator.com/item?id=47956312
+
 blacklist af_alg
 install af_alg /usr/bin/false
 
@@ -22,3 +22,18 @@ install algif_rng /usr/bin/false
 
 blacklist algif_skcipher
 install algif_skcipher /usr/bin/false
+
+# esp4, esp6, and rxrpc are only used for IPsec-in-IPv4, IPsec-in-IPv6, and the
+# AF_RXRPC socket protocol (used by AFS/kAFS clients) respectively as none of which
+# are used on KDE Linux. Disabling them mitigates the dirtyfrag vulnerability.
+# See also:
+# - https://github.com/V4bel/dirtyfrag
+
+blacklist esp4
+install esp4 /usr/bin/false
+
+blacklist esp6
+install esp6 /usr/bin/false
+
+blacklist rxrpc
+install rxrpc /usr/bin/false
diff --git a/mkosi.finalize.d/40-core.sh.chroot b/mkosi.finalize.d/40-core.sh.chroot
index 87cc36f..ad5afd5 100755
--- a/mkosi.finalize.d/40-core.sh.chroot
+++ b/mkosi.finalize.d/40-core.sh.chroot
@@ -162,16 +162,23 @@ mv /usr/lib/systemd/user/ydotool.service /usr/lib/systemd/system/ydotool.service
 
 # Delete af_alg et al. kernel modules; they're dangerous and unused by anything
 # relevant except for iwd and non-default cryptsetup algorithms, neither of which
-# are supported on KDE Linux.
+# are supported on KDE Linux. Also delete esp4, esp6, and rxrpc which are
+# exploitable via the dirtyfrag vulnerability and are only used for IPsec-in-IPv4, IPsec-in-IPv6, and the
+# AF_RXRPC socket protocol (used by AFS/kAFS clients) respectively as none of which
+# are used on KDE Linux.
 # See also:
 # - https://www.secwest.net/copyfail-mitigation
 # - https://news.ycombinator.com/item?id=47956312
+# - https://github.com/V4bel/dirtyfrag
 rm -rf \
     /usr/lib/modules/*/kernel/crypto/af_alg.ko.zst \
     /usr/lib/modules/*/kernel/crypto/algif_aead.ko.zst \
     /usr/lib/modules/*/kernel/crypto/algif_hash.ko.zst \
     /usr/lib/modules/*/kernel/crypto/algif_rng.ko.zst \
-    /usr/lib/modules/*/kernel/crypto/algif_skcipher.ko.zst
+    /usr/lib/modules/*/kernel/crypto/algif_skcipher.ko.zst \
+    /usr/lib/modules/*/kernel/net/ipv4/esp4.ko.zst \
+    /usr/lib/modules/*/kernel/net/ipv6/esp6.ko.zst \
+    /usr/lib/modules/*/kernel/net/rxrpc/rxrpc.ko.zst
 
 # Clean up final remnants of the build process
 rm -rf \