-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdirty-flag-copyfail2-mitigation-daemonset.yaml
More file actions
124 lines (116 loc) · 3.68 KB
/
Copy pathdirty-flag-copyfail2-mitigation-daemonset.yaml
File metadata and controls
124 lines (116 loc) · 3.68 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: dirty-flag-copyfail2-mitigation
namespace: kube-system
labels:
app: dirty-flag-copyfail2-mitigation
security: vulnerability-mitigation
spec:
selector:
matchLabels:
app: dirty-flag-copyfail2-mitigation
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 1
template:
metadata:
labels:
app: dirty-flag-copyfail2-mitigation
spec:
volumes:
- name: host-root
hostPath:
path: /
type: Directory
hostPID: true
priorityClassName: system-node-critical
tolerations:
- operator: Exists
effect: NoExecute
- operator: Exists
effect: NoSchedule
initContainers:
- name: mitigation
image: busybox:1.36.1
command: ["/bin/sh", "-c"]
args:
- |
set -e
echo "-----------------------------------------"
echo "CVE-2026-43284, CVE-2026-43500, CopyFail2 Mitigation"
echo "Hostname: $(cat /host_root/etc/hostname 2>/dev/null)"
echo "Date: $(date)"
echo "-----------------------------------------"
echo ""
echo "Checking loaded vulnerable modules"
for mod in esp4 esp6 rxrpc; do
if chroot /host_root lsmod 2>/dev/null | grep -q "^${mod} "; then
echo "Module ${mod} is loaded"
else
echo "Module ${mod} is not loaded"
fi
done
echo ""
echo ""
echo "Creating modprobe configuration"
mkdir -p /host_root/etc/modprobe.d
cat > /host_root/etc/modprobe.d/disable-esp-rxrpc.conf <<EOF
install esp4 /bin/false
install esp6 /bin/false
install rxrpc /bin/false
EOF
echo "Created /etc/modprobe.d/disable-esp-rxrpc.conf"
echo ""
echo ""
echo "Unloading vulnerable modules if loaded..."
for mod in esp4 esp6 rxrpc; do
chroot /host_root rmmod ${mod} 2>/dev/null && echo "Module ${mod} unloaded successfully" || echo "Module ${mod} was not loaded or already unloaded"
done
echo ""
echo ""
echo "Check configuration file exist"
if [ -f /host_root/etc/modprobe.d/disable-esp-rxrpc.conf ]; then
echo "Configuration file exists"
else
echo "ERROR: Configuration file not found"
exit 1
fi
echo ""
echo ""
echo "Verifying if the vulnerability is resolved"
STILL_LOADED=""
for mod in esp4 esp6 rxrpc; do
if chroot /host_root lsmod 2>/dev/null | grep -q "^${mod} "; then
echo "ERROR: Module ${mod} is still loaded"
STILL_LOADED="${STILL_LOADED} ${mod}"
else
echo "Module ${mod} is properly blocked"
fi
done
if [ -n "${STILL_LOADED}" ]; then
echo "ERROR: Some modules are still loaded:${STILL_LOADED}"
exit 1
fi
echo ""
echo ""
echo "---------------------------------------"
echo "CVE-2026-43284, CVE-2026-43500, CopyFail2 mitigation applied successfully"
echo "---------------------------------------"
securityContext:
privileged: true
runAsUser: 0
volumeMounts:
- name: host-root
mountPath: /host_root
resources:
requests:
cpu: 10m
memory: 64Mi
limits:
cpu: 200m
memory: 128Mi
containers:
- image: "registry.k8s.io/pause:3.10.1"
name: pause