Will this continue like that even when the prophesied Mythos Vulnocalypse hits the Kernel?
replyThis stance doesn't seem sustainable any more to me.
The response from Greg was that Mythos proved that upstream was right all along and that they'll continue to do things the same way. That's my recollection, at least - pretty sure it was something like that, could have been even worse though and I'm misremembering.
replyThe stance was never sustainable, hence linux LPEs being constantly available. The solution is to treat your kernel as impossible to secure. Notably, gvisor users are not impacted by this CVE. Seccomp also kills this CVE.
How about SELinux, like on Android?
replyselinux on enforcement mode did not mitigate the exploit when I tested today on fedora coreos :(
replyTo even get the su binary on Android you have to patch the OS. So this exploit can't work on Android. Because there is no su binary to target.
replyUpdate: Just tried it on Termux and as expected even creating an AF_ALG socket requires root access.
The specific exploit payload for the POC relies on a su binary. The vuln is ambivalent and other non-su paths will exist.
replyI assume that wouldn't help here but I could easily be wrong. (Assuming if you're asking if SELinux would block this exploit).
reply