%define debug_package %{nil}
Name:           block-copyfail
# version 2 is needed because we called the previous package version 1, so cannot use 0.5.1
Version:        3
Release:        1.aiven%{?dist}
Vendor:         Aiven <support@aiven.io>
URL:            https://github.com/atgreen/rhel-block-copyfail/
Source:         https://github.com/atgreen/rhel-block-copyfail/archive/refs/tags/v0.5.1/block-copyfail-0.5.1.tar.gz
Summary:        Service to prevent copy.fail CVE-2026-31431 without needing a reboot
License:        MIT
Requires:       bpftool
BuildRequires: systemd-rpm-macros systemd-devel gcc make clang libbpf-devel bpftool

Patch1:        block-copyfail-fragnesia.patch

%description
A simple service on top of the block-copyfail.bpf.o by Antony Green

What it blocks:

Copy Fail 1 (CVE-2026-31431) socket_bind AF_ALG AEAD socket binds
Copy Fail 2 / Dirty Frag ESP socket_sendmsg MSG_SPLICE_PAGES on UDP sockets
Dirty Frag (rxkad path) socket_create AF_RXRPC socket creation
Fragnesia (espintcp)

What's unaffected

Other AF_ALG usage (hash, skcipher, rng)
Normal UDP sends via sendmsg/sendto/write
(only splice-based zero-copy UDP sends are blocked by Copy Fail 2)
All TCP traffic, including splice-to-TCP
Normal IPsec / xfrm traffic
 
%prep
%autosetup -n rhel-block-copyfail-0.5.1
#autopatch -p1

%build
%make_build

%install
install -p -D -m644 block-copyfail.service %{buildroot}%{_unitdir}/block-copyfail.service
install -p -D -m755 block-copyfail %{buildroot}%{_bindir}/block-copyfail

%check
#nothing

%post
%systemd_post block-copyfail.service

%preun
%systemd_preun block-copyfail.service

%postun
%systemd_postun_with_restart block-copyfail.service


%files
%{_bindir}/block-copyfail
%{_unitdir}/block-copyfail.service
%doc trigger-test.py

%changelog
%autochangelog