(In reply to comment #36)
> The system tap does not seem to catch/deny every run of the exploit in my
> testing. They all seem to get logged, but many of them still get a root prompt.
The systemtap script proposed in comment #35 is a poor choice, so is
now hidden in order to avoid misleading the public. It interfered
with multiple functions in fs/splice.c, and did not actually block
the vmsplice attempt but rather just attempt to log and punish it.
If you have the prerequisites for this tool though, try the simpler
script listed in bug #432229 comment #17.
(In reply to comment #36)
> The system tap does not seem to catch/deny every run of the exploit in my
> testing. They all seem to get logged, but many of them still get a root prompt.
The systemtap script proposed in comment #35 is a poor choice, so is
now hidden in order to avoid misleading the public. It interfered
with multiple functions in fs/splice.c, and did not actually block
the vmsplice attempt but rather just attempt to log and punish it.
If you have the prerequisites for this tool though, try the simpler
script listed in bug #432229 comment #17.