kernel: disable DirtyFrag trigger modules

[kvinwang]

Summary

• disable IPv4/IPv6 ESP transforms in the dstack kernel config to remove the ESP DirtyFrag trigger path
• explicitly keep AF_RXRPC/RXKAD disabled so the RxRPC trigger path cannot be enabled by future feature sets
• keep generic XFRM userspace support enabled for non-ESP networking use cases

Validation

• ran git diff --check
• inspected generated config fragments; ESP/RxRPC are disabled via dstack-docker.cfg

Note: this is a mitigation by removing the vulnerable protocol handlers from the built kernel rather than relying on module blacklisting, since ESP is currently built in.

[Copilot]

Pull request overview

This PR updates the dstack kernel config fragment used by the Yocto linux-yocto build to mitigate DirtyFrag-style trigger paths by ensuring ESP (IPv4/IPv6) and RxRPC are not built into the kernel, while keeping generic XFRM userspace support enabled for non-ESP use cases.

Changes:

• Disable IPv4/IPv6 ESP transforms and XFRM ESP support in dstack-docker.cfg.
• Explicitly keep RxRPC (AF_RXRPC/RXKAD) disabled to prevent future feature sets from enabling it indirectly.
• Add inline comments documenting the security rationale and the intended constraints.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.