Disable and remove af_alg kernel module

It's a source of vulnerability, most recently the "Copy Fail" vulnerability (CVE-2026-31431). That one is already fixed, but according to Google crypto guy Eric Biggers [1], it's vulnerable by design. The only significant things it's used for (iwd and non-default cryptsetup algorithms) aren't supported in KDE Linux, so let's disable and remove this functionality. [1] https://news.ycombinator.com/item?id=47956312
2026-05-25 00:39:30 -04:00 · 2026-05-03 11:53:12 -06:00
parent 5f9ef707dd
commit 4fa05d179b
2 changed files with 38 additions and 0 deletions
--- a/mkosi.extra/usr/lib/modprobe.d/99-kde-linux-security.conf
+++ b/mkosi.extra/usr/lib/modprobe.d/99-kde-linux-security.conf
@@ -0,0 +1,24 @@
+# SPDX-License-Identifier: GPL-2.0-only OR GPL-3.0-only OR LicenseRef-KDE-Accepted-GPL
+# SPDX-FileCopyrightText: none
+
+# af_alg et al are dangerous and unused by anything relevant except for iwd and
+# non-default cryptsetup algorithms, neither of which are supported on KDE Linux.
+# disable these things to reduce our attack surface.
+
+# See also:
+# - https://www.secwest.net/copyfail-mitigation
+# - https://news.ycombinator.com/item?id=47956312
+blacklist af_alg
+install af_alg /usr/bin/false
+
+blacklist algif_aead
+install algif_aead /usr/bin/false
+
+blacklist algif_hash
+install algif_hash /usr/bin/false
+
+blacklist algif_rng
+install algif_rng /usr/bin/false
+
+blacklist algif_skcipher
+install algif_skcipher /usr/bin/false
--- a/mkosi.finalize.d/40-core.sh.chroot
+++ b/mkosi.finalize.d/40-core.sh.chroot
@@ -160,6 +160,20 @@ fi
 # enabled by default and requires authentication to manually enable.
 mv /usr/lib/systemd/user/ydotool.service /usr/lib/systemd/system/ydotool.service

+# Delete af_alg et al. kernel modules; they're dangerous and unused by anything
+# relevant except for iwd and non-default cryptsetup algorithms, neither of which
+# are supported on KDE Linux.
+# See also:
+# - https://www.secwest.net/copyfail-mitigation
+# - https://news.ycombinator.com/item?id=47956312
+KERNEL_MODULES_DIR="/usr/lib/modules/$(uname -r)/kernel/crypto"
+rm -rf \
+    "$KERNEL_MODULES_DIR"/af_alg.ko.zst \
+    "$KERNEL_MODULES_DIR"/algif_aead.ko.zst \
+    "$KERNEL_MODULES_DIR"/algif_hash.ko.zst \
+    "$KERNEL_MODULES_DIR"/algif_rng.ko.zst \
+    "$KERNEL_MODULES_DIR"/algif_skcipher.ko.zst
+
 # Clean up final remnants of the build process
 rm -rf \
    /buildroot \