[Unit]
Description=Block CVE-2026-31431 (Copy Fail) via BPF LSM
Documentation=https://github.com/atgreen/rhel-block-copyfail
After=sys-fs-bpf.mount
ConditionPathExists=/sys/kernel/btf/vmlinux
StartLimitIntervalSec=60
StartLimitBurst=3

[Service]
Type=simple
ExecStart=/usr/sbin/block-copyfail
Restart=on-failure
RestartSec=5

# Hardening
NoNewPrivileges=yes
ProtectHome=yes
PrivateTmp=yes
ProtectSystem=strict
ProtectKernelModules=yes
ProtectControlGroups=yes
ProtectClock=yes
RestrictNamespaces=yes
RestrictSUIDSGID=yes
LockPersonality=yes
SystemCallArchitectures=native
# Do NOT add ProtectKernelTunables=yes — it makes /sys read-only,
# breaking access to /sys/kernel/btf/vmlinux needed for BPF CO-RE.

[Install]
WantedBy=multi-user.target