Skip to content

Commit b52751e

Browse files
janduboisjandubois
committed
Dockerfile: address review on strip-exploit-modules patch
Reword the comment: "modules used only as exploit paths" implied they were written to be exploited. Reframe as "unused in the VM but expose known CVEs". Move the strip logic into /usr/local/lib/strip-exploit-modules.sh. The sed payload reduces to a single source injection, and the module list becomes a real loop. Verified on aarch64: rebuilt the builder image and a fresh std ISO; boot/modloop-virt has the four modules absent and modules.dep clean. Signed-off-by: Jan Dubois <jan.dubois@suse.com>
1 parent 745597a commit b52751e

1 file changed

Lines changed: 12 additions & 6 deletions

File tree

Dockerfile

Lines changed: 12 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -40,11 +40,17 @@ RUN \
4040
# Remove --no-chown which is deprecated in apk 3.0 as alias for --usermode (disallowed as root)
4141
RUN sed -i 's/--initdb --no-chown/--initdb/' /home/build/aports/scripts/mkimage.sh
4242

43-
# Strip kernel modules used only as exploit paths (CVE-2026-43284 dirtyfrag
44-
# esp4/esp6; CVE-2026-43500 dirtyfrag rxrpc; CVE-2026-31431 copy.fail
45-
# algif_aead). update-kernel has no exclude flag, so we delete the .ko files
46-
# from $ROOTFS before the cp -a into $MODLOOP, then re-run depmod to keep
47-
# modules.dep consistent.
48-
RUN sed -i 's|^cp -a $ROOTFS/lib/modules $MODLOOP$|find "$ROOTFS/lib/modules/$KVER/kernel" \\( -name "esp4.ko*" -o -name "esp6.ko*" -o -name "rxrpc.ko*" -o -name "algif_aead.ko*" \\) -delete\n$MOCK depmod -b $ROOTFS "$KVER"\n&|' /usr/sbin/update-kernel
43+
# Strip kernel modules that are unused in the VM but expose known CVEs
44+
# (CVE-2026-43284 dirtyfrag esp4/esp6; CVE-2026-43500 dirtyfrag rxrpc;
45+
# CVE-2026-31431 copy.fail algif_aead). update-kernel has no exclude
46+
# flag, so we inject a hook before its `cp -a ... $MODLOOP` line; depmod
47+
# re-runs to keep modules.dep consistent.
48+
RUN cat > /usr/local/lib/strip-exploit-modules.sh <<'EOF'
49+
for mod in esp4 esp6 rxrpc algif_aead; do
50+
find "$ROOTFS/lib/modules/$KVER/kernel" -name "$mod.ko*" -delete
51+
done
52+
$MOCK depmod -b "$ROOTFS" "$KVER"
53+
EOF
54+
RUN sed -i 's|^cp -a $ROOTFS/lib/modules $MODLOOP$|. /usr/local/lib/strip-exploit-modules.sh\n&|' /usr/sbin/update-kernel
4955
WORKDIR /home/build/aports/scripts
5056
ENTRYPOINT ["sh", "./mkimage.sh"]

0 commit comments

Comments
 (0)