[m3nu]

I wasn't able to unload algif_aead on RHEL 9/10 because it's built in, rather than a module.

So here the next-best thing I found: Disable AF_ALG via systemd. Needs drop-ins for all exposed services. Here an Ansible playbook that covers ssdh and user@, which are the main ones usually.

https://gist.github.com/m3nu/c19269ef4fd6fa53b03eb388f77464d...

[byron3256]

How about blacklisting algif_aead initialization function on RHEL 9/10? I added "initcall_blacklist=algif_aead_init" to the kernel boot options and rebooted. The exploit is not working anymore.

[m3nu]

Good idea. Added to the playbook for RHEL only.

On Debian normal unloading of the module works.

[pkoiralap]

I was coming up with the same intuition. However, it's like a whack-a-mole. What about cronjobs and slurmjobs and other services? Is there a way to do this directly on systemd so that all other processes inherit it rather than doing it on each one?

[chucky_z]

https://www.freedesktop.org/software/systemd/man/latest/syst...

`/etc/systemd/system/service.d/${...}.conf`

I think this is what you're looking for.

[yrro]

FYI RHEL's SELinux policy blocks AF_ALG socket creation for confined services out of the box. But disabling via RestrictAddressFamilies= unit option, or initcall_blacklist= kernel parameter, seems to be a good mitigation for unconfined services, users and containers.