Building a backdoored Kernel - Attack vector 2?

Yeah, the IFUNC mechanism was abused to force different resolution for symbols in libcrypto (!) as used by openssl. It may be possible to spot and block this abuse, since it seems to me that no legitimate program would ever want to do what the exploit does, but let's not fool ourselves -- if this wasn't present, the exploit would just have done something else. By the time you have hostile code executing in the same address space as sshd before privsep has kicked in, you've lost, IFUNC or no IFUNC.