All of lore.kernel.org
 help / color / mirror / Atom feed
From: Russell Coker <russell@coker.com.au>
To: selinux-refpolicy@vger.kernel.org
Subject: DirtyClone etc
Date: Tue, 30 Jun 2026 22:09:34 +1000	[thread overview]
Message-ID: <3639982.SvYEEZNnvj@dojacat> (raw)

https://research.jfrog.com/post/dissecting-and-exploiting-linux-lpe-variant-dirtyclone-cve-2026-43503/

This is the latest kernel exploit which relies on creating a container with 
"unshare -Urn" or "bwrap --bind / / --unshare-user --unshare-net --uid 0 --gid 
0 /bin/bash" and having self:cap_userns net_admin access in that container.  

Should we have some neverallow rules for accessing such capabilities that work 
in a similar way to the ones for accessing memory_device_t, security_t, and 
shadow_t?

Below are the domains that have such access in the Debian policy (a moderately 
modified version of refpolicy) with the unconfined module removed.

# sesearch -A -c cap_userns -p net_admin
allow container_engine_t container_engine_t:cap_userns { audit_write chown 
dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease 
linux_immutable mknod net_admin net_bind_service net_raw setfcap setgid 
setpcap setuid sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace 
sys_rawio sys_resource sys_time sys_tty_config };
allow container_init_t container_init_t:cap_userns { chown dac_override 
dac_read_search fowner kill net_admin net_bind_service net_raw setgid setuid 
};
allow container_kvm_t container_kvm_t:cap_userns { chown dac_override 
dac_read_search fowner kill net_admin net_bind_service net_raw setgid setuid 
};
allow container_t container_t:cap_userns { chown dac_override dac_read_search 
fowner kill net_admin net_bind_service net_raw setgid setuid };
allow crio_t crio_t:cap_userns { audit_write chown dac_override 
dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable 
mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid 
sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace sys_rawio 
sys_resource sys_time sys_tty_config };
allow dockerd_t dockerd_t:cap_userns { audit_write chown dac_override 
dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable 
mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid 
sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace sys_rawio 
sys_resource sys_time sys_tty_config };
allow dockerd_user_t dockerd_user_t:cap_userns { audit_write chown 
dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease 
linux_immutable mknod net_admin net_bind_service net_raw setfcap setgid 
setpcap setuid sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace 
sys_rawio sys_resource sys_time sys_tty_config };
allow init_t init_t:cap_userns { audit_write chown dac_override 
dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable 
mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid 
sys_admin sys_boot sys_chroot sys_module sys_nice sys_pacct sys_ptrace 
sys_rawio sys_resource sys_time sys_tty_config };
allow iptables_t iptables_t:cap_userns { net_admin net_raw };
allow podman_t podman_t:cap_userns { audit_write chown dac_override 
dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable 
mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid 
sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace sys_rawio 
sys_resource sys_time sys_tty_config };
allow podman_user_t podman_user_t:cap_userns { audit_write chown dac_override 
dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable 
mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid 
sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace sys_rawio 
sys_resource sys_time sys_tty_config };
allow spc_t spc_t:cap_userns { audit_write chown dac_override dac_read_search 
fowner fsetid ipc_lock kill mknod net_admin net_bind_service net_raw setgid 
setpcap setuid sys_admin sys_chroot sys_nice sys_ptrace sys_rawio sys_resource 
};
allow spc_user_t spc_user_t:cap_userns { chown dac_override dac_read_search 
fowner kill net_admin net_bind_service net_raw setgid setuid };
allow staff_bubblewrap_t staff_bubblewrap_t:cap_userns { dac_override 
net_admin setpcap sys_admin sys_ptrace };
allow sysadm_bubblewrap_t sysadm_bubblewrap_t:cap_userns { dac_override 
net_admin setpcap sys_admin sys_ptrace };
allow user_bubblewrap_t user_bubblewrap_t:cap_userns { dac_override net_admin 
setpcap sys_admin sys_ptrace };

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/




             reply	other threads:[~2026-06-30 12:09 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-30 12:09 Russell Coker [this message]
2026-06-30 12:40 ` DirtyClone etc Dominick Grift

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3639982.SvYEEZNnvj@dojacat \
    --to=russell@coker.com.au \
    --cc=selinux-refpolicy@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.