Comment by still_grokking
16 hours ago
Will this continue like that even when the prophesied Mythos Vulnocalypse hits the Kernel?
This stance doesn't seem sustainable any more to me.
16 hours ago
Will this continue like that even when the prophesied Mythos Vulnocalypse hits the Kernel?
This stance doesn't seem sustainable any more to me.
The response from Greg was that Mythos proved that upstream was right all along and that they'll continue to do things the same way. That's my recollection, at least - pretty sure it was something like that, could have been even worse though and I'm misremembering.
The stance was never sustainable, hence linux LPEs being constantly available. The solution is to treat your kernel as impossible to secure. Notably, gvisor users are not impacted by this CVE. Seccomp also kills this CVE.
How about SELinux, like on Android?
selinux on enforcement mode did not mitigate the exploit when I tested today on fedora coreos :(
To even get the su binary on Android you have to patch the OS. So this exploit can't work on Android. Because there is no su binary to target.
Update: Just tried it on Termux and as expected even creating an AF_ALG socket requires root access.
3 replies →
I assume that wouldn't help here but I could easily be wrong. (Assuming if you're asking if SELinux would block this exploit).