fix: remove AzureLinux 3.0 modprobe LPE blacklist (CSE-time + VHD bake-in) — kernel 6.6.139.1-1.azl3+ fixes upstream#8546
Merged
Conversation
Kernel 6.6.139.1-1.azl3 and later fix Copy Fail (CVE-2026-31431), DirtyFrag (CVE-2026-43284, CVE-2026-43500), and Fragnesia (CVE-2026-46300) upstream, so the runtime modprobe blacklist for algif_aead/esp4/esp6/rxrpc is no longer required on AzureLinux 3.0. Defense-in-depth: the static modprobe-CIS.conf baked into every VHD is left untouched, so all VHDs in the 6-month support window still drop the install/blacklist directives at build time regardless of kernel version. Ubuntu 22.04/24.04 and AzureLinux 2.0 (Mariner) keep the runtime apply: their upstream kernel does not yet ship the fix. Windows was never affected. Updates: * parts/linux/cloud-init/artifacts/cse_main.sh - gate is now isUbuntu || isMariner (was isUbuntu || isMarinerOrAzureLinux). * spec/.../cse_main_disable_modules_spec.sh - new tests asserting APPLY on Ubuntu/Mariner and SKIP on AzureLinux 3.0 / Kata / ACL / Flatcar. * e2e/validators.go - ValidateVulnerableKernelModulesDisabled is OS-conditional: full presence + load-refusal check on Ubuntu/Mariner, defense-in-depth modprobe.d entry presence-only check on AzureLinux. Refs: Azure/AKS#5753 AB#38070527 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
djsly
requested review from
AbelHu,
Devinwong,
SriHarsha001,
awesomenix,
calvin197,
cameronmeissner,
ganeshkumarashok,
junjiezhang1997,
lilypan26,
mxj220,
pdamianov-dev,
phealy,
r2k1,
sulixu,
surajssd,
timmy-wright and
zachary-bailey
as code owners
djsly
commented
May 21, 2026
djsly
commented
May 21, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adjusts the Linux CSE-time CVE kernel-module mitigation behavior to skip the runtime modprobe blacklist on AzureLinux 3.0 (relying on the upstream kernel fix in 6.6.139.1-1.azl3+), while keeping Ubuntu and Mariner behavior unchanged and retaining the baked-in modprobe-CIS.conf defense-in-depth approach.
Changes:
- Gate CSE-time
disableVulnerableKernelModulecalls to Ubuntu + Mariner only, excluding AzureLinux 3.0. - Add ShellSpec coverage to assert the OS gating behavior (APPLY vs SKIP) across key OS variants.
- Make the e2e vulnerable-module validator OS-conditional, doing a presence-only modprobe.d check on AzureLinux 3.0 and the full “present + not loaded + modprobe refused” checks elsewhere.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| parts/linux/cloud-init/artifacts/cse_main.sh | Updates the OS gate so AzureLinux 3.0 skips the runtime module-disable calls while Ubuntu/Mariner still apply them. |
| spec/parts/linux/cloud-init/artifacts/cse_main_disable_modules_spec.sh | Adds unit tests validating the new OS gate behavior. |
| e2e/validators.go | Makes the vulnerable-module validation logic conditional for AzureLinux 3.0 vs other distros. |
Customers reported that the algif_aead / esp4 / esp6 / rxrpc modprobe blacklist baked into AzureLinux 3.0 VHDs blocks legitimate workloads. Now that kernel 6.6.139.1-1.azl3+ fixes Copy Fail / DirtyFrag / Fragnesia upstream, the bake-in is no longer needed on AzL3. Changes: - packer_source.sh: skip cpAndMode of MODPROBE_CIS on AzureLinux 3.0 (Ubuntu and Mariner bake-in unchanged — those kernels still vulnerable). - linux-vhd-content-test.sh: testVulnerableKernelModulesDisabled now asserts the four entries are ABSENT on AzL3 and present + load-refused on Ubuntu/Mariner. - e2e/validators.go: ValidateVulnerableKernelModulesDisabled now asserts absence on AzureLinux (matching newly-built VHDs); Ubuntu/Mariner full presence+refusal check unchanged. - cse_main.sh: updated AzL3 skip comment to reflect that the static blacklist file is no longer baked in either; existing in-support AzL3 VHDs continue to carry the bake-in until they roll (no CSE-time active removal — by design). No CSE-time active removal of pre-existing blacklist files is implemented; customers on existing in-support AzL3 VHDs will get the unblocked configuration on their next AzL3 VHD upgrade. AB#38070527 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
djsly
changed the title
Addresses review feedback: - cse_main.sh: drop unused isMariner branch from the modprobe blacklist gate (AKS does not build Mariner VHDs anymore). - cse_main_disable_modules_spec.sh: update spec cases to match the new gate — Ubuntu APPLY; AzL3/Mariner/Kata/ACL/Flatcar SKIP. - validators.go: refresh the top-level doc comment on ValidateVulnerableKernelModulesDisabled to describe the OS-conditional behavior accurately (Ubuntu: full presence + load-refusal; AzureLinux: ABSENCE of blacklist entries). AB#38070527 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Per Sylvain's follow-up review on commit e1ae35c: the isMariner branch restored in that commit is dead code — verified that AKS stopped building Mariner (AzL2) VHDs on 2025-12-06 and the active build pipeline (.pipelines/.vsts-vhd-builder-release.yaml) only references buildAzureLinuxV3*, buildAzureLinuxOSGuardV3*, and buildflatcar* parameters (no buildMariner*). The mitigation is also already baked into modprobe-CIS.conf on every in-support Mariner VHD, so the runtime apply was purely defense-in-depth duplicating the bake-in. Gate is now: isUbuntu || isAzureLinuxOSGuard. This unconditionally drops the mitigation runtime-apply on Mariner nodes that might scale up via CRP-served CSE during the remaining ~16 days of Mariner VHD support (last build's 6-month window expires ~2026-06). That is acceptable because: 1. The static bake-in in /etc/modprobe.d/modprobe-CIS.conf on the VHD itself remains in place on all in-support Mariner VHDs. 2. Mariner support fully sunsets in ~2 weeks. Updates: * cse_main.sh: gate simplified; comment rewritten with full Mariner rationale. * cse_main_disable_modules_spec.sh: Mariner / Mariner-Kata cases flipped from APPLY to SKIP. 13/13 still pass. AB#38070527 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Address Copilot reviewer feedback on commit 6b470f9: * e2e/validators.go: the 'append the module name to the list below' comment was added before this PR introduced two separate module lists (AzL3-absence branch + default presence/load-refusal branch). Clarify that BOTH lists must be updated when adding a new CVE. * linux-vhd-content-test.sh: same issue — testVulnerableKernelModulesDisabled now has two loops (AzL3-absence + default). Update the comment to say BOTH must be appended. No functional changes — comment-only. AB#38070527 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
awesomenix
reviewed
May 21, 2026
awesomenix
approved these changes
May 21, 2026
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
…ment Address Copilot reviewer feedback on commit e12170c: the lead-in comment said the mitigation is applied on "Ubuntu and AzureLinux OSGuard", but the gate also applies on AzL2/Mariner (covered by the detailed paragraph below). Update the summary line so the first line of the comment block accurately reflects all three apply targets. No functional change. AB#38070527 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
cameronmeissner
approved these changes
May 22, 2026
Devinwong
approved these changes
May 22, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Three kernel LPE vulnerabilities tracked in Azure/AKS#5753 are now fixed upstream in the AzureLinux 3.0 kernel as of
6.6.139.1-1.azl3. The corresponding modprobe blacklist mitigations are no longer required on AzureLinux 3.0 and have been fully descoped on that OS — both the CSE-time runtime apply and the VHD-build bake-in.algif_aeadesp4,esp6,rxrpcesp4,esp6(covered by DirtyFrag)Decision rationale
Initial iteration of this PR kept the four
install <mod> /bin/false+blacklist <mod>entries baked into AzureLinux 3.0 VHDs as defense-in-depth, removing only the CSE-time runtime apply. Customer feedback during review made it clear that legitimate AzL3 workloads require some of those kernel modules (notably theesp*modules for IPsec/XFRM use cases andrxrpcfor AFS-style RPC see cilium/cilium#46023). With the upstream kernel fix shipping, keeping the blacklist baked in is no longer defense-in-depth — it is an active regression. This PR therefore removes the bake-in on AzureLinux 3.0 too.Scope
OS_VERSION=2.0)202512.06.0— cannot deliver new bake-in via VHD refresh, so the runtime apply is retained as the only mitigation pathazurelinux,azurelinux-kata)6.6.139.1-1.azl3+ fixes all three CVEs; blacklist blocks legitimate workloadsWhat this PR does NOT do
The four-module blacklist will simply not be present on newly-built AzL3 VHDs going forward. Existing in-support AzL3 VHDs (built before this change merges) keep the baked-in
/etc/modprobe.d/CIS.confblacklist entries. We did not add a CSE-timermor rewrite-on-boot path that would actively scrub pre-existing blacklist files on already-deployed nodes — that was considered and explicitly rejected to avoid mutating in-place security configuration on already-provisioned fleet. Affected customers will pick up the unblocked configuration when they roll their node pools to a newer AzL3 VHD.Backward-compat analysis (6-month VHD window)
/etc/modprobe.d/CIS.confis left in place. Net effect: the four modules remain blocked on old AzL3 VHDs until the customer rolls. Kernel-fix-only mitigation kicks in once they upgrade.disableVulnerableKernelModulefor the four modules and written/etc/modprobe.d/disable-<mod>.confdrop-ins itself. Until both pieces (new CSE and new VHD) are in the field for an AzL3 customer, the runtime CSE writes will still block. Once both ship, customers requiring those modules on AzL3 see the unblocked configuration.Final CSE-time OS gate
Applies on: Ubuntu (all), AzureLinux OSGuard, AzureLinux 2.0 / Mariner. Skips on: AzureLinux 3.0 regular/Kata, ACL, Flatcar.
Files changed
parts/linux/cloud-init/artifacts/cse_main.shisUbuntu || isAzureLinuxOSGuard || (isMarinerOrAzureLinux && OS_VERSION=2.0). Drops AzL3 regular/Kata (kernel fixed); keeps Ubuntu, OSGuard, and AzL2/Mariner (the latter because its VHD image is frozen and can't deliver new bake-ins). Comment block rewritten with full rationale.vhdbuilder/packer/packer_source.shcpAndMode $MODPROBE_CIS_SRC …now wrapped inif isAzureLinux "$OS" "$OS_VARIANT" && [ "${OS_VERSION}" = "3.0" ] && ! isAzureLinuxOSGuard …skip → else copy. OSGuard explicitly retains the bake-in. Ubuntu, Mariner, ACL, Flatcar paths unchanged byte-for-byte.vhdbuilder/packer/test/linux-vhd-content-test.shtestVulnerableKernelModulesDisabledtakes$OS_SKU $OS_VERSIONand asserts ABSENCE of bothinstall <mod> /bin/falseandblacklist <mod>directives on AzL3 (os_sku=AzureLinux && os_version=3.0), presence + load-refusal otherwise. OSGuard'sOS_SKUisAzureLinuxOSGuard— distinct fromAzureLinux— so it falls through to the full presence check correctly.e2e/validators.goValidateVulnerableKernelModulesDisabledis now OS-conditional: AzL3 regular (NOT OSGuard, via!s.VHD.Distro.IsAzureLinuxOSGuardDistro()) asserts absence of bothinstallandblacklistdirectives; Ubuntu and OSGuard fall through to the full presence + load-refusal check.spec/parts/linux/cloud-init/artifacts/cse_main_disable_modules_spec.sh#!/usr/bin/env shellspec. New OS-gate test suite covering Ubuntu APPLY, OSGuard APPLY, Mariner-2.0 APPLY, AzL3 regular/Kata SKIP, ACL SKIP, Flatcar SKIP. Existing unit tests fordisableVulnerableKernelModule()are unchanged.parts/linux/cloud-init/artifacts/modprobe-CIS.confTest plan
shellspec --shell bash spec/parts/linux/cloud-init/artifacts/cse_main_disable_modules_spec.sh— all cases pass.cd e2e && go build ./...— clean.bash -nsyntax-check onpacker_source.sh,linux-vhd-content-test.sh,cse_main.sh.testVulnerableKernelModulesDisabled AzureLinux 3.0must PASS with all four modules absent (bothinstallandblacklistdirectives).Related
6.6.139.1-1.azl3upstream fix🤖 Generated with GitHub Copilot CLI