Mitigating dirtyc0w with systemd

234

Basic mitigation

Known exploits for the CVE-2016–5195 vulnerability involve the madvise syscall, so it’s possible to mitigate by excluding the necessary call via a systemd service or container configuration. This is easy with for a systemd unit:

[Service]
SystemCallFilter=~madvise

The tilde after the equal sign indicates that this is a blacklist of syscalls.

As with any configuration change, you’ll want to test this out before deploying it. …

Read more at David Timothy Strauss Blog