Comment by marshray

21 hours ago

The lesson here being... compile your own kernel from git sources every few days?

Give up entirely on non-virtualized container security?

This is not sarcasm. I'd finally given in and started learning about docker/podman-style OCI containerization last week.

6 comments

marshray

john_strinlai 21 hours ago

in this specific case, they offer an alternative mitigation if your chosen distro has not updated yet:

For immediate mitigation, block AF_ALG socket creation via seccomp or blacklist the algif_aead module:

    echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif-aead.conf
    rmmod algif_aead 2>/dev/null

marshray 20 hours ago
Thanks!
I'd do 'umask 133' in front of the echo out of paranoia.
Out of curiosity, was the asterisk after '2>/dev/null' intentional? I had not seen that idiom before.
- john_strinlai 20 hours ago
  
  the asterisk is my oops, trying to format the comment in italics to differentiate my comment from the text provided by the author. sorry for the confusion
- ranger_danger 20 hours ago
  
  And I would do chattr +i disable-algif.conf

x4132 17 hours ago

are you sure containerization would be more secure? this is also a rootless podman escape. the lesson here is to not give random people shell access to your systems.

DooMMasteR 4 hours ago

I mean, most Kernel version literally got the patch 2026.04.30, so just today.