How to Use the Linux Kernel Kill Switch to Disable Vulnerable Functions

Introduction

In response to the growing threat of Linux Privilege Escalation (LPE) vulnerabilities such as Copy Fail and Dirty Frag, NVIDIA engineer and kernel maintainer Sasha Levin proposed a new kernel mechanism called killswitch. This tool allows system administrators to immediately neuter a specific kernel function on a running system, preventing attackers from exploiting known bugs before a proper patch is deployed. Unlike a full kernel update, the killswitch disables a function by forcing it to return a predefined value without executing any of its code. This guide walks you through using the killswitch to secure your Linux system.

How to Use the Linux Kernel Kill Switch to Disable Vulnerable Functions — Source: itsfoss.com

What You Need

A Linux kernel version that includes the killswitch patch (currently proposed for inclusion in mainline)
Root privileges (root access or sudo)
Basic command-line proficiency
Knowledge of the vulnerable function name you wish to disable (e.g., af_alg_sendmsg for the AF_ALG interface)
Optional: A boot loader configuration editor for applying killswitch across multiple machines

Step-by-Step Guide

Step 1: Identify the Vulnerable Kernel Function

Before engaging the killswitch, determine which kernel function is affected. Security advisories and CVEs name the function (e.g., ksmbd, nftables, vsock, ax25). For the Copy Fail exploit, the flawed function is af_alg_sendmsg in the AF_ALG crypto interface. Use tools like dmesg or check your distribution’s security announcements to confirm.

Step 2: Engage the Killswitch via Sysfs

Run the following command as root:

echo "engage af_alg_sendmsg -1" > /sys/kernel/security/killswitch/control

Replace af_alg_sendmsg with your target function name and -1 with the desired return value (typically -1 for generic error). This command tells the kernel: from now on, whenever any code calls af_alg_sendmsg, it will immediately return -1 without executing the original body. The change takes effect across all CPU cores instantly.

Step 3: Verify the Killswitch Is Active

Check the killswitch status by reading the control file:

cat /sys/kernel/security/killswitch/control

You should see your engaged function and its return value. Alternatively, attempt to use the disabled functionality (e.g., sending data through AF_ALG) and confirm it fails with an error. Also, note that engaging a killswitch taints the kernel – a new flag H (bit 20) is set, visible in /proc/sys/kernel/tainted. This flag persists even after disengaging until the next reboot.

Step 4: Disengage the Killswitch (If Necessary)

When the real kernel patch is installed or the crisis passes, disengage the killswitch:

echo "disengage af_alg_sendmsg" > /sys/kernel/security/killswitch/control

This re-enables the function. However, the taint flag remains set until reboot, signaling that the kernel was modified during runtime.

Step 5: Apply Killswitch at Boot Time (Fleet Management)

For deploying the mitigation across many machines, use the kernel boot parameter. Edit your boot loader configuration (e.g., GRUB) and append:

killswitch=af_alg_sendmsg=-1,ksmbd=-1

This applies the killswitch from the moment the kernel starts, ensuring no vulnerable code ever runs. After editing, regenerate the boot loader configuration and reboot.

Conclusion and Tips

Use as a temporary stopgap: The killswitch does not fix the underlying vulnerability. It only prevents execution. Apply it only until an official patch arrives.
Understand the impact: Disabling a kernel function breaks any userspace software relying on it. For AF_ALG, crypto operations will fail; for ksmbd, SMB sharing stops. Test the side effects in a controlled environment first.
Never pick the wrong function: Disabling a crucial system function (e.g., memory management or scheduler) can crash the system. The patch includes a warning section Choosing the right target – heed it.
Monitor the taint flag: A tainted kernel (flag H) means your configuration is unsupported. If you encounter crashes, inform maintainers that the kernel was modified with a killswitch.
Combine with other mitigations: Use killswitch as one layer; also apply existing security modules (SELinux, AppArmor) and disable unused kernel modules.
Community concerns: Some critics call this a feature that may be worse than the vulnerability. Always evaluate if disabling a function is less risky than running the vulnerable code.