From 4fa05d179b801f332b876b21771979ecd127eef2 Mon Sep 17 00:00:00 2001
From: Nate Graham <nate@kde.org>
Date: Sun, 3 May 2026 11:53:12 -0600
Subject: [PATCH] Disable and remove af_alg kernel module

It's a source of vulnerability, most recently the "Copy Fail"
vulnerability (CVE-2026-31431). That one is already fixed, but according
to Google crypto guy Eric Biggers [1], it's vulnerable by design. The
only significant things it's used for (iwd and non-default cryptsetup
algorithms) aren't supported in KDE Linux, so let's disable and remove
this functionality.

[1] https://news.ycombinator.com/item?id=47956312
---
 .../lib/modprobe.d/99-kde-linux-security.conf | 24 +++++++++++++++++++
 mkosi.finalize.d/40-core.sh.chroot            | 14 +++++++++++
 2 files changed, 38 insertions(+)
 create mode 100644 mkosi.extra/usr/lib/modprobe.d/99-kde-linux-security.conf

diff --git a/mkosi.extra/usr/lib/modprobe.d/99-kde-linux-security.conf b/mkosi.extra/usr/lib/modprobe.d/99-kde-linux-security.conf
new file mode 100644
index 0000000..821938e
--- /dev/null
+++ b/mkosi.extra/usr/lib/modprobe.d/99-kde-linux-security.conf
@@ -0,0 +1,24 @@
+# SPDX-License-Identifier: GPL-2.0-only OR GPL-3.0-only OR LicenseRef-KDE-Accepted-GPL
+# SPDX-FileCopyrightText: none
+
+# af_alg et al are dangerous and unused by anything relevant except for iwd and
+# non-default cryptsetup algorithms, neither of which are supported on KDE Linux.
+# disable these things to reduce our attack surface.
+
+# See also:
+# - https://www.secwest.net/copyfail-mitigation
+# - https://news.ycombinator.com/item?id=47956312
+blacklist af_alg
+install af_alg /usr/bin/false
+
+blacklist algif_aead
+install algif_aead /usr/bin/false
+
+blacklist algif_hash
+install algif_hash /usr/bin/false
+
+blacklist algif_rng
+install algif_rng /usr/bin/false
+
+blacklist algif_skcipher
+install algif_skcipher /usr/bin/false
diff --git a/mkosi.finalize.d/40-core.sh.chroot b/mkosi.finalize.d/40-core.sh.chroot
index 1e5c765..74693a7 100755
--- a/mkosi.finalize.d/40-core.sh.chroot
+++ b/mkosi.finalize.d/40-core.sh.chroot
@@ -160,6 +160,20 @@ fi
 # enabled by default and requires authentication to manually enable.
 mv /usr/lib/systemd/user/ydotool.service /usr/lib/systemd/system/ydotool.service
 
+# Delete af_alg et al. kernel modules; they're dangerous and unused by anything
+# relevant except for iwd and non-default cryptsetup algorithms, neither of which
+# are supported on KDE Linux.
+# See also:
+# - https://www.secwest.net/copyfail-mitigation
+# - https://news.ycombinator.com/item?id=47956312
+KERNEL_MODULES_DIR="/usr/lib/modules/$(uname -r)/kernel/crypto"
+rm -rf \
+    "$KERNEL_MODULES_DIR"/af_alg.ko.zst \
+    "$KERNEL_MODULES_DIR"/algif_aead.ko.zst \
+    "$KERNEL_MODULES_DIR"/algif_hash.ko.zst \
+    "$KERNEL_MODULES_DIR"/algif_rng.ko.zst \
+    "$KERNEL_MODULES_DIR"/algif_skcipher.ko.zst
+
 # Clean up final remnants of the build process
 rm -rf \
     /buildroot \