Fragnesia reaches the vulnerable kernel path through XFRM ESP-in-TCP setup.
This demo does not ship a local-root exploit; it shows the required
NETLINK_XFRM setup socket open without agentsh, then closed for wrapped
processes while ordinary NETLINK_ROUTE remains available.
NETLINK_ROUTE, such as ordinary route inspection, continue to work.
Fragnesia depends on reaching the XFRM ESP-in-TCP setup path. agentsh denies
the NETLINK_XFRM socket setup before exploit-specific payload
handling can begin. The process sees a normal kernel-style denial, the session
report records the policy rule that fired, and ordinary IPv4 traffic remains
available for the workload.
This is intentionally a runtime boundary. The protected run does not need to identify exploit source code or trust the agent to avoid risky commands; it blocks the kernel interface that the setup path requires and leaves an auditable policy decision behind.
Docker’s default seccomp is disabled so the raw kernel surface is visible.
Alice can open socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM), including
through a direct syscall that bypasses libc.
agentsh denies NETLINK_XFRM with EAFNOSUPPORT while the
control NETLINK_ROUTE socket stays open. The raw-syscall check proves
the block fires at the kernel boundary.
dirtyfrag-conservative mitigation includes
AF_NETLINK + NETLINK_XFRM, which is the Fragnesia-relevant
socket boundary. It also includes the related AF_RXRPC DirtyFrag rule.
Use the explicit one-rule config above only when you want a Fragnesia-only local rule.