Creating a separate post so more people see this: the mitigation recommended by Theori.io for copy.fail *WILL NOT WORK* for any RHEL or RHEL-derived distro, including CentOS, Fedora, Oracle, and Alma as the vulnerable code is built-in.

@idkrn Sure, RBAC too, subjects with connect/bind rules automatically apply restrictions on socket families (limited to AF_UNIX/AF_INET). Any use of other socket families above that requires explicit sock_allow_family rules, so would block the AF_ALG use.

RE: https://infosec.exchange/@grsecurity/116493859237230837

The KB article with links to the combined/split-out patches for 5.15 and 6.6 (adapted to grsecurity) are now available.

Updated 5.15 and 6.6 patches are now available. We're now preparing a KB article with more guidance than shared in last night's email with links to combined/split-out patches for both 5.15 and 6.6 for those on older kernels who need CONFIG_CRYPTO_USER_API_AEAD enabled (which shouldn't be anyone)

For RHEL/RHEL-derived configurations, this approach will work (the function name has been stable since 2015 and initcall_blacklist has been supported since 2014): https://news.ycombinator.com/item?id=47956504

For it to be effective at all, you would need to have CONFIG_CRYPTO_USER_API_AEAD=m. If it's =y, there is no module and the mitigation is a no-op. https://oracle.github.io/kconfigs/?config=CRYPTO_USER_API_AEAD&
shows the setting for common distros/versions, but it's most reliable to check your running kernel's config.

Creating a separate post so more people see this: the mitigation recommended by Theori.io for copy.fail *WILL NOT WORK* for any RHEL or RHEL-derived distro, including CentOS, Fedora, Oracle, and Alma as the vulnerable code is built-in.