Correction: I was wrong about copy.fail and #sydbox earlier: Force sandboxing and Crypt sandboxing _imply_ the option trace/allow_safe_kcapi:1 so when these two are in use the sandbox process can abuse the AEAD issue in the #Linux #kernel. With #sydbox 3.52.0 to be released very soon, we rename the trace/allow_safe_kcapi option to trace/allow_unsafe_kcapi and Force/Crypt sandboxing are no longer going to imply this option, rather allow only Syd's use of AF_ALG sockets. #exherbo #linux #security