Well, the keyctl syscall is one of those system calls blocked by Firejail by implementing seccomp-bpf.
Not needed since this vulnerability is DOA when using a Grsec kernel. grsecurity KERNEXEC, hardware SMEP, PAX_REFCOUNT - all block this exploit. grsecurity @grsecurity 8 hours ago How can you not mention PAX_REFCOUNT when discussing this vuln that makes it DOA? http://perception-point.io/2016/01/...f-a-linux-kernel-vulnerability-cve-2016-0728/ …
According to one Android developer who works for the Android security team many devices are not affected by this vulnerability: https://plus.google.com/ AdrianLudwig/posts/KxHcLPgSPoY
This isn't an issue to be completely freaked out. However, I would like to see Mr. Linus focusing more on security than performance. Kernel developers drive sport cars, so sponsors clearly can afford a few more developers to look into important parts of the Kernel like this one. We shouldn't need Firejail or grsec to be protected against this, the Kernel itself should already be better audited and armed to the teeth against 0-day exploits (in this case, 3-years-old exploit).
Grsecurity noting a big change a week ago that was signed off by Linus. He may be more and more pressured to put security at the forefront. grsecurity @grsecurity Jan 16 This is a pretty drastic change: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=84638335900f1995495838fe1bd4870c43ec1f67… What happened to that "don't break userland" rule?
This is a good thing, despite if it did break userland or not It's better to have a broken userland than an exploited one. On the broken userland, it's easy to patch things or to simply use an older kernel. With an exploited system, the admin may never know what is the extent of the damage.