More module refactoring

[ystros]

Note: per Gemini, these modules have the following uses.

Encapsulating Security Payload (esp4/esp6): These modules are utilized when Cloud Foundry operators deploy the IPsec Add-on. This add-on secures traffic between internal components (like the GoRouter and Diego Cells) by encrypting the data packets at the kernel level.

AF_RXRPC (rxrpc): This is part of the standard network stack included in the stemcell kernel. While rarely used by modern Cloud Foundry applications, it remains a monitored component for security compliance.

Mitigation for https://github.com/V4bel/dirtyfrag

[coderabbitai]

Walkthrough

This pull request extends kernel module hardening in BOSH Linux stemcells by blacklisting three additional kernel modules: esp4, esp6, and rxrpc. The implementation adds install directives to the modprobe configuration that redirect module loading to /bin/true, preventing initialization. Three corresponding RSpec test contexts verify that the blacklist configuration file contains the expected directives for each module.

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The pull request description lacks the required merge-forward strategy structure specified in the repository template.	Add information about which branch this PR targets and confirm it follows the merge-forward strategy (create PR into oldest branch, then merge forward through subsequent branches).
Title check	❓ Inconclusive	The title 'More module refactoring' is vague and generic, using non-descriptive language that doesn't convey which specific modules are being refactored or the actual change being made.	Use a more specific title that identifies the modules being blacklisted, such as 'Blacklist esp4, esp6, and rxrpc kernel modules' or 'Add kernel module hardening for IPsec and RXRPC.'

✅ Passed checks (3 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch more-module-refactoring

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR extends the stemcell “system_kernel_modules” hardening stage to block additional kernel modules from being loadable via modprobe, and updates the corresponding OS image spec shared examples to enforce that behavior.

Changes:

• Add esp4, esp6, and rxrpc to /etc/modprobe.d/blacklist.conf as install <module> /bin/true.
• Add Serverspec/RSpec shared-example assertions ensuring those lines are present.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
stemcell_builder/stages/system_kernel_modules/apply.sh	Adds additional module-load prevention entries for esp4, esp6, and rxrpc.
bosh-stemcell/spec/support/os_image_linux_kernel_modules_shared_examples.rb	Adds test expectations that the new module blacklisting is present.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@stemcell_builder/stages/system_kernel_modules/apply.sh`:
- Around line 24-26: The change blacklists kernel modules via the lines "install
esp4 /bin/true" and "install esp6 /bin/true", which will prevent ESP from
loading and break the CF IPsec Add-on; to fix, either remove or gate these two
install lines behind a conditional (e.g., a build-time flag or detection of
whether CF IPsec Add-on is present) so operators who still need ESP keep module
loading, and add a clear comment and release-note/upgrade guidance that
documents the change and its impact on the CF IPsec Add-on and ubuntu-jammy so
operators can migrate or opt-in to the blacklist before deployment.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 704a0801-c998-4b03-a0cb-8c7b9dc00456

📥 Commits

Reviewing files that changed from the base of the PR and between f68d644 and 3faea0c.

📒 Files selected for processing (2)

• bosh-stemcell/spec/support/os_image_linux_kernel_modules_shared_examples.rb
• stemcell_builder/stages/system_kernel_modules/apply.sh