I think this also requires user (i.e. unprivileged) namespaces since you have to manipulate traffic control queue disciplines (tc qdisc). You normally need to be root to do this, so it's only useful as an escalation if you can do it within a namespace or you can convince some root daemon to do the qdisc manipulation for you (I think unlikely?).
User namespaces opened up an enormous surface area to local privilege escalation since it made a ton of root-only APIs available to non-root users.
I don't think user namespaces are available on android, and it's sometimes disabled on linux distributions, although I think more are starting to enable it.
User namespaces opened up an enormous surface area to local privilege escalation since it made a ton of root-only APIs available to non-root users.
I don't think user namespaces are available on android, and it's sometimes disabled on linux distributions, although I think more are starting to enable it.
Relatedly, kernelCTF just announced they will be disabling user namespaces, which is probably a good idea if they are inundated with exploits: https://github.com/google/security-research/commit/7171625f5...