Mitigating dirtyc0w with systemd

Basic mitigation

Known exploits for the CVE-2016–5195 vulnerability involve the madvise syscall, so it’s possible to mitigate by excluding the necessary call via a systemd service or container configuration. This is easy with for a systemd unit:

 [Service] SystemCallFilter=~madvise

The tilde after the equal sign indicates that this is a blacklist of syscalls.

As with any configuration change, you’ll want to test this out before deploying it. …

Read more at David Timothy Strauss Blog

Click Here!

Let’s block ads! (Why?)

Popular Posts
  • No Popular Post Available