#!/bin/bash
# solution de contournement du DirtyFrag (CVE-2026-43284 et CVE-2026-43500)

if [ "$(CreoleGet install_rvp non)" == "oui" ]
then
    echo "Contournement DirtyFrag avec IPSEC"

    # Gestion du cas où "install_rvp" est passé de "non" à "oui"
    if grep -qs "install esp4 /bin/false"  /etc/modprobe.d/eole-dirtyfrag.conf
    then
        sed -i '/install esp4 \/bin\/false/d' /etc/modprobe.d/eole-dirtyfrag.conf
        touch /var/run/reboot-required
    fi

    if grep -qs "install esp6 /bin/false"  /etc/modprobe.d/eole-dirtyfrag.conf
    then
        sed -i '/install esp6 \/bin\/false/d' /etc/modprobe.d/eole-dirtyfrag.conf
        touch /var/run/reboot-required
    fi

    # Gestion du contournement
    if ! grep -qs "install rxrpc /bin/false" /etc/modprobe.d/eole-dirtyfrag.conf
    then
        echo "install rxrpc /bin/false" > /etc/modprobe.d/eole-dirtyfrag.conf
        touch /var/run/reboot-required
    fi

    # Selon https://aws.amazon.com/fr/security/security-bulletins/2026-027-aws/
    # please monitor your environment for anomalous setuid executions
    # Selon https://access.redhat.com/security/vulnerabilities/RHSB-2026-003
    # Disabling unprivileged user namespaces may also affect rootless containers, sandboxed browsers, and Flatpak.
    # Donc on ne réserve cette méthode qu'aux modules ayant besoin d'IPSEC
    if ! grep -qs "user.max_user_namespaces=0" /etc/sysctl.d/99-eole-dirtyfrag.conf
    then
        echo "user.max_user_namespaces=0" > /etc/sysctl.d/99-eole-dirtyfrag.conf
        touch /var/run/reboot-required
    fi
else
    echo "Contournement DirtyFrag sans IPSEC"
    # Cette méthode désactive complètement IPSEC

    # Gestion du cas où "install_rvp" est passé de "oui" à "non"
    [ -e /etc/sysctl.d/99-eole-dirtyfrag.conf ] && rm -f /etc/sysctl.d/99-eole-dirtyfrag.conf

    # Gestion du contournement
    if ! grep -qs "install rxrpc /bin/false" /etc/modprobe.d/eole-dirtyfrag.conf
    then
        echo "install rxrpc /bin/false" > /etc/modprobe.d/eole-dirtyfrag.conf
        touch /var/run/reboot-required
    fi

    if ! grep -qs "install esp4 /bin/false"  /etc/modprobe.d/eole-dirtyfrag.conf
    then
        echo "install esp4 /bin/false" >> /etc/modprobe.d/eole-dirtyfrag.conf
        touch /var/run/reboot-required
    fi

    if ! grep -qs "install esp6 /bin/false"  /etc/modprobe.d/eole-dirtyfrag.conf
    then
        echo "install esp6 /bin/false" >> /etc/modprobe.d/eole-dirtyfrag.conf
        touch /var/run/reboot-required
    fi
fi
