From: Russell Coker <russell@coker.com.au>
To: selinux-refpolicy@vger.kernel.org
Subject: DirtyClone etc
Date: Tue, 30 Jun 2026 22:09:34 +1000 [thread overview]
Message-ID: <3639982.SvYEEZNnvj@dojacat> (raw)
https://research.jfrog.com/post/dissecting-and-exploiting-linux-lpe-variant-dirtyclone-cve-2026-43503/
This is the latest kernel exploit which relies on creating a container with
"unshare -Urn" or "bwrap --bind / / --unshare-user --unshare-net --uid 0 --gid
0 /bin/bash" and having self:cap_userns net_admin access in that container.
Should we have some neverallow rules for accessing such capabilities that work
in a similar way to the ones for accessing memory_device_t, security_t, and
shadow_t?
Below are the domains that have such access in the Debian policy (a moderately
modified version of refpolicy) with the unconfined module removed.
# sesearch -A -c cap_userns -p net_admin
allow container_engine_t container_engine_t:cap_userns { audit_write chown
dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease
linux_immutable mknod net_admin net_bind_service net_raw setfcap setgid
setpcap setuid sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace
sys_rawio sys_resource sys_time sys_tty_config };
allow container_init_t container_init_t:cap_userns { chown dac_override
dac_read_search fowner kill net_admin net_bind_service net_raw setgid setuid
};
allow container_kvm_t container_kvm_t:cap_userns { chown dac_override
dac_read_search fowner kill net_admin net_bind_service net_raw setgid setuid
};
allow container_t container_t:cap_userns { chown dac_override dac_read_search
fowner kill net_admin net_bind_service net_raw setgid setuid };
allow crio_t crio_t:cap_userns { audit_write chown dac_override
dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable
mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid
sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace sys_rawio
sys_resource sys_time sys_tty_config };
allow dockerd_t dockerd_t:cap_userns { audit_write chown dac_override
dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable
mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid
sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace sys_rawio
sys_resource sys_time sys_tty_config };
allow dockerd_user_t dockerd_user_t:cap_userns { audit_write chown
dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease
linux_immutable mknod net_admin net_bind_service net_raw setfcap setgid
setpcap setuid sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace
sys_rawio sys_resource sys_time sys_tty_config };
allow init_t init_t:cap_userns { audit_write chown dac_override
dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable
mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid
sys_admin sys_boot sys_chroot sys_module sys_nice sys_pacct sys_ptrace
sys_rawio sys_resource sys_time sys_tty_config };
allow iptables_t iptables_t:cap_userns { net_admin net_raw };
allow podman_t podman_t:cap_userns { audit_write chown dac_override
dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable
mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid
sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace sys_rawio
sys_resource sys_time sys_tty_config };
allow podman_user_t podman_user_t:cap_userns { audit_write chown dac_override
dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable
mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid
sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace sys_rawio
sys_resource sys_time sys_tty_config };
allow spc_t spc_t:cap_userns { audit_write chown dac_override dac_read_search
fowner fsetid ipc_lock kill mknod net_admin net_bind_service net_raw setgid
setpcap setuid sys_admin sys_chroot sys_nice sys_ptrace sys_rawio sys_resource
};
allow spc_user_t spc_user_t:cap_userns { chown dac_override dac_read_search
fowner kill net_admin net_bind_service net_raw setgid setuid };
allow staff_bubblewrap_t staff_bubblewrap_t:cap_userns { dac_override
net_admin setpcap sys_admin sys_ptrace };
allow sysadm_bubblewrap_t sysadm_bubblewrap_t:cap_userns { dac_override
net_admin setpcap sys_admin sys_ptrace };
allow user_bubblewrap_t user_bubblewrap_t:cap_userns { dac_override net_admin
setpcap sys_admin sys_ptrace };
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
next reply other threads:[~2026-06-30 12:09 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-30 12:09 Russell Coker [this message]
2026-06-30 12:40 ` DirtyClone etc Dominick Grift
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3639982.SvYEEZNnvj@dojacat \
--to=russell@coker.com.au \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.