undefined | Better HN

0 pointsstaticassertion10d ago0 comments

The response from Greg was that Mythos proved that upstream was right all along and that they'll continue to do things the same way. That's my recollection, at least - pretty sure it was something like that, could have been even worse though and I'm misremembering.

The stance was never sustainable, hence linux LPEs being constantly available. The solution is to treat your kernel as impossible to secure. Notably, gvisor users are not impacted by this CVE. Seccomp also kills this CVE.

0 comments

still_grokking10d ago

How about SELinux, like on Android?

fuomag910d ago

selinux on enforcement mode did not mitigate the exploit when I tested today on fedora coreos :(

nromiun10d ago

To even get the su binary on Android you have to patch the OS. So this exploit can't work on Android. Because there is no su binary to target.

Update: Just tried it on Termux and as expected even creating an AF_ALG socket requires root access.

staticassertionOP10d ago

The specific exploit payload for the POC relies on a su binary. The vuln is ambivalent and other non-su paths will exist.

nromiun10d ago

Of course, but it does not matter as the entire AF_ALG module is forbidden by SELinux anyway (on Android).

1 more reply

staticassertionOP10d ago

I assume that wouldn't help here but I could easily be wrong. (Assuming if you're asking if SELinux would block this exploit).

j / k navigate · click thread line to collapse

0 comments

still_grokking10d ago

How about SELinux, like on Android?

fuomag910d ago

selinux on enforcement mode did not mitigate the exploit when I tested today on fedora coreos :(

nromiun10d ago

To even get the su binary on Android you have to patch the OS. So this exploit can't work on Android. Because there is no su binary to target.

Update: Just tried it on Termux and as expected even creating an AF_ALG socket requires root access.

staticassertionOP10d ago

The specific exploit payload for the POC relies on a su binary. The vuln is ambivalent and other non-su paths will exist.

nromiun10d ago

Of course, but it does not matter as the entire AF_ALG module is forbidden by SELinux anyway (on Android).

1 more reply

staticassertionOP10d ago

I assume that wouldn't help here but I could easily be wrong. (Assuming if you're asking if SELinux would block this exploit).

j / k navigate · click thread line to collapse