
The Linux kernel’s AF_ALG interface was deprecated in Linux 7.2. This interface for letting user-space programs interact directly with the Linux kernel crypto API has proven to be a “massive attack surface” due to a variety of security concerns. With its deprecation in Linux 7.2, some AF_ALG features are already removed and for Linux 7.3 this interface is being further restrained.
Linux crypto expert Eric Biggers at Google is introducing a new af_alg_restrict sysctl knob to further limit the AF_ALG abilities out-of-the-box on the Linux kernel. But for anyone actually relying on AF_ALG with user-space programs, adjusting this sysctl is a convenient way to allow unrestricted access. Conversely, af_alg_restrict can be used for completely disabling AF_ALG too.
Eric Biggers explains in the patch adding this af_alg_restrict sysctl option:
“AF_ALG is a frequent source of vulnerabilities and a maintenance nightmare. It exposes far more functionality to userspace than ever should have been exposed, especially to unprivileged processes. Recent exploits have targeted kernel internal implementation details like “authencesn” that have zero use case for userspace access.
Fortunately, AF_ALG is rarely used in practice, as userspace crypto libraries exist. And when it is used, only some functionality is known to be used, and many users are known to hold capabilities already. iwd for example requires CAP_NET_ADMIN and has a known algorithm list.
Thus, let’s restrict the set of allowed algorithms by default, depending on the capabilities held.
Add a sysctl /proc/sys/crypto/af_alg_restrict with meaning:
0: unrestricted
1: limited functionality
2: completely disabledSet the default value to 1, which enables an algorithm allowlist for unprivileged processes and a slightly longer allowlist for privileged processes.
Note that the list may be tweaked in the future. However, the common use cases such as iwd and bluez are taken into account already. I’ve tested that iwd still works with the default value of 1.”
So at least Intel’s IWD wireless daemon will still work out-of-the-box for the time being at least. We’ll see how soon until they move to a default of disabling AF_ALG by default and its eventual removal from the kernel codebase.
This af_alg_restrict sysctl patch is in the “cryptodev” Git code right now and thus expected to be merged for the Linux 7.3 cycle later in the year.
