dirtyfrag

10 commits 1 branch 0 tags 5.9 MiB

Author	SHA1	Message	Date
Clem	44af5b1a14	Add Kubernetes mitigation manifest Adds a self-contained DaemonSet manifest under k8s/ that applies the mitigation from the README (modprobe blacklist of esp4/esp6/rxrpc + page-cache flush) to every Linux node in a Kubernetes cluster, and re-applies it automatically on any new node that joins the cluster (autoscaling, node-image upgrade, scale-set rolling update). - k8s/dirtyfrag-mitigation.yaml — single-file manifest applyable with kubectl apply -f. Uses an init container that nsenter's into PID 1 to write /etc/modprobe.d/disable-dirtyfrag.conf, modprobe -r each module that has refcnt=0, and echo 3 > /proc/sys/vm/drop_caches. For any module that remains loaded with refcnt > 0, emits a single aggregated Warning Kubernetes Event on the Node (no auto-cordon). A long-running pause container keeps the pod Running so the init container is only re-executed on pod recreation. - k8s/README.md — apply / verify / revert instructions and compatibility notes (esp4/esp6 = IPsec, rxrpc = AFS). - README.md — short Kubernetes section in Mitigation pointing to k8s/. Tested on AKS (Azure) running Kubernetes 1.30, in a production environment across staging and production clusters.	2026-05-08 10:41:03 +02:00
V4bel	979a5d992d	Merge pull request #20 from Nriver/master Update README: clarify page cache cleanup after exploit	2026-05-08 16:24:45 +09:00
Nate River	beeb925e30	Enhance mitigation instructions in README Updated mitigation instructions to include clearing the page cache after removing vulnerable modules.	2026-05-08 13:49:44 +08:00
Nate River	f2796739b2	Update README: clarify page cache cleanup after exploit	2026-05-08 11:58:36 +08:00
V4bel	892d9a31d3	typo	2026-05-08 05:22:07 +09:00
V4bel	f351f5a0c2	typo	2026-05-08 05:15:10 +09:00
V4bel	3099b8a3c7	typo	2026-05-08 04:02:58 +09:00
V4bel	eb33132154	typo	2026-05-08 03:46:07 +09:00
V4bel	72f2b56c8b	typo	2026-05-08 03:22:01 +09:00
V4bel	ea8b2efd81	init	2026-05-08 03:18:15 +09:00