Gah. I'm just sitting here browsing around while waiting for my main transit provider to signal the all-clear after maintenance so I can shift traffic from the backup transit back to them, when I read about *yet another* apocalyptic-level Linux kernel security bug, "Fragnesia", so that's, what, the third in a fortnight?

Another one which was revealed before coordinated disclosure so updates are not ready.

Another one which relies on loadable kernel modules that many don't use.

After the last one I went looking to see if I could find a mechanism for allow-listing kernel modules, so that modules couldn't be loaded by default and must be specifically allowed, which would reduce attack surface considerably, but there doesn't seem to be anything in modprobe et al to make that easy.

The next-best thing I can think of is deleting/moving module files so that the loader won't find them — or explicitly deny-listing every kernel module other than the ones you need. But that seems… silly. Unmaintainable, compared with an allow-list. At least this bug is in the same modules as the last one, so the mitigation for that one applies.

Definitely considering throwing all my hardware into a fire and becoming a hermit, though.