feat: add socket-restrict gadget to block AF_ALG in containers#110
Merged
Conversation
dorser
force-pushed
the
dorser/cve-2026-31431
branch
from
e602907 to
20fe76b
Compare
There was a problem hiding this comment.
Pull request overview
Adds a new socket-restrict eBPF/LSM gadget to deny AF_ALG socket usage inside containers (mitigating CVE-2026-31431), wires it into the micromize runtime, and extends the event/output + integration-test surface accordingly.
Changes:
- Introduces
gadgets/socket-restrictwith LSM hooks forsocket_create+socket_bind, plus metadata (YAML/README). - Extends event typing + CLI output formatting to recognize and display new socket-restrict events/fields.
- Adds integration probes and test cases to validate AF_ALG is blocked while normal TCP/UDP sockets still work.
Reviewed changes
Copilot reviewed 19 out of 19 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/integration/probes/tcp_socket/main.go | Adds a probe verifying normal TCP/UDP socket creation still succeeds. |
| tests/integration/probes/af_alg_hash/main.go | Adds an AF_ALG hash probe to confirm restriction behavior. |
| tests/integration/probes/af_alg_aead/main.go | Adds an AF_ALG AEAD probe to confirm restriction behavior. |
| tests/integration/cases/10_normal_sockets.sh | Integration case for validating normal sockets aren’t blocked. |
| tests/integration/cases/09_af_alg_hash_restrict.sh | Integration case for validating AF_ALG hash is blocked. |
| tests/integration/cases/08_af_alg_aead_restrict.sh | Integration case for validating AF_ALG AEAD is blocked. |
| internal/operators/output.go | Adds descriptions and output formatting for new socket-restrict event fields. |
| internal/operators/operators.go | Adds new event type constants and reason-name mappings. |
| include/micromize/event_types.h | Adds two new event type enum values for socket-restrict. |
| gadgets/socket-restrict/program.bpf.h | Defines the socket-restrict event payload and constants. |
| gadgets/socket-restrict/program.bpf.c | Implements LSM hooks to block AF_ALG socket create/bind and emit events. |
| gadgets/socket-restrict/gadget.yaml | Declares datasource fields and eBPF parameters for the new gadget. |
| gadgets/socket-restrict/README.md | Documents the gadget purpose, hooks, and getting started command. |
| cmd/micromize/root.go | Registers the new gadget with the runtime registry. |
| cmd/micromize/embeds_dev.go | Adds a dev-build byte-slice placeholder for the new embedded gadget tar. |
| cmd/micromize/embeds.go | Embeds build/socket-restrict.tar into release builds. |
| README.md | Updates top-level README to mention the new socket restriction capability. |
| Makefile | Adds socket-restrict to the gadget build/push list and a run target. |
| Dockerfile | Ensures socket-restrict is built/exported in the image build pipeline. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
dorser
force-pushed
the
dorser/cve-2026-31431
branch
from
20fe76b to
a582914
Compare
dorser
force-pushed
the
dorser/cve-2026-31431
branch
from
a582914 to
55dfa24
Compare
There was a problem hiding this comment.
Pull request overview
Adds a new socket-restrict eBPF gadget to block AF_ALG socket usage in containers, wiring it into the micromize runtime/event system and adding integration probes/cases to validate expected behavior.
Changes:
- Introduce
gadgets/socket-restrict(LSMsocket_create+socket_bind) and embed/register it inmicromize. - Extend event type plumbing (C header + Go operator mappings) and enhance CLI output with
alg_type/alg_name. - Add integration probes and shell cases for AF_ALG (AEAD/hash) blocking and “normal sockets still work” regression.
Reviewed changes
Copilot reviewed 19 out of 19 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/integration/probes/tcp_socket/main.go | Adds a probe ensuring TCP/UDP socket creation still works. |
| tests/integration/probes/af_alg_hash/main.go | Adds an AF_ALG hash probe that expects denial (or denial at bind). |
| tests/integration/probes/af_alg_aead/main.go | Adds an AF_ALG AEAD probe that expects denial (or denial at bind). |
| tests/integration/cases/10_normal_sockets.sh | Integration case running the TCP/UDP probe in a container bundle. |
| tests/integration/cases/09_af_alg_hash_restrict.sh | Integration case running the AF_ALG hash probe. |
| tests/integration/cases/08_af_alg_aead_restrict.sh | Integration case running the AF_ALG AEAD probe. |
| internal/operators/output.go | Adds event descriptions + prints alg_type/alg_name when present. |
| internal/operators/operators.go | Adds new event type constants/names for AF_ALG create/bind. |
| include/micromize/event_types.h | Adds new event type enum values for socket-restrict. |
| gadgets/socket-restrict/program.bpf.h | Defines socket-restrict event layout and AF_ALG sockaddr offsets. |
| gadgets/socket-restrict/program.bpf.c | Implements LSM hooks to block AF_ALG create/bind and emit events. |
| gadgets/socket-restrict/gadget.yaml | Declares the gadget datasource fields and standard ebpf params. |
| gadgets/socket-restrict/README.md | Documents the gadget purpose and hooks. |
| cmd/micromize/root.go | Registers socket-restrict gadget in the runtime registry. |
| cmd/micromize/embeds_dev.go | Adds dev build bytes placeholder for socket-restrict gadget tar. |
| cmd/micromize/embeds.go | Embeds build/socket-restrict.tar for release builds. |
| README.md | Updates top-level README to mention socket restriction / AF_ALG mitigation. |
| Makefile | Adds socket-restrict to the gadget build/push/run lists. |
| Dockerfile | Builds/exports socket-restrict gadget alongside existing gadgets. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: Dor Serero <dor.serero@gmail.com>
dorser
force-pushed
the
dorser/cve-2026-31431
branch
from
55dfa24 to
638d6dc
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add socket-restrict gadget to block AF_ALG in containers
Summary
Adds a new
socket-restricteBPF gadget that blocks allAF_ALG(kernel crypto userspace API) socket usage inside containers. This mitigates CVE-2026-31431 (Copy Fail), a Linux kernel local privilege escalation inalgif_aead, and protects against future bugs in adjacent kernel crypto API paths.Motivation
CVE-2026-31431 allows an unprivileged container process to create an
AF_ALGsocket, bind to an AEAD algorithm, and exploit vulnerablealgif_aeadin-place handling to write attacker-controlled bytes into page cache, enabling privilege escalation or container escape.AF_ALGis rarely needed in containerized production workloads. Blocking it at the socket layer eliminates the entire attack surface without affecting normal networking or TLS/SSH/dm-crypt operations.Implementation
BPF hooks:
lsm/socket_createAF_ALGsocket creation — main choke pointlsm/socket_bindAF_ALGbind if a socket FD exists from before policy load. Preservesalg_type/alg_namefor visibilityEvent types:
EVENT_TYPE_SOCKET_AF_ALG_CREATE(11)EVENT_TYPE_SOCKET_AF_ALG_BIND(12)Files changed:
gadgets/socket-restrict/(BPF program, gadget.yaml, README)cmd/micromize/root.go,embeds.go,embeds_dev.goMakefile,Dockerfileinclude/micromize/event_types.h,internal/operators/operators.go,internal/operators/output.goaf_alg_aead,af_alg_hash,tcp_socketTesting
go test ./...— all unit tests passgo build ./cmd/micromize— dev binary buildsmake build-gadgets— eBPF gadget compiles successfullymake build-all— release binary with embedded gadgets builds