From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.sws.net.au (smtp.sws.net.au [144.76.186.9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 093F93EFFDB for ; Tue, 30 Jun 2026 12:09:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=144.76.186.9 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782821360; cv=none; b=ONqaWDGDH0VW7r9+NpAauXxFYUvAG0E5nyIhsL4zoq8eJ1PT/ibQWUO3DxYY5WJfN/zEZa1xUCWW2boWqx8Fcz7t2NxcpPyDPSFjNbXG1gZMAAik7zK+qxhWmRro6bDxoXvrSpgRjVHGzzdSOnfKuHRV4v9QKMaGwkpwSjnKm14= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782821360; c=relaxed/simple; bh=PS72h5JCvEu2kpXfv+4uViKmGHsZPxWh7EOGffKA21Q=; h=From:To:Subject:Date:Message-ID:MIME-Version:Content-Type; b=YUrSwWeBEYjOx6UC9hyemn26sLRv0wcJkHM5ngwczbtky0idOR4Pl+UAhaIreidYiAXnrXZfgpEI5Ky/NGH50G65LcObHbRxWQFH/iexNfbW9hwr1g4YMET/Ih9HgFcBdRac7N5HZU9AFKqOLwVzaeYtvTyuxZyvZdpcmDoNlek= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=coker.com.au; spf=pass smtp.mailfrom=coker.com.au; dkim=pass (1024-bit key) header.d=coker.com.au header.i=@coker.com.au header.b=pC6Xz4mC; arc=none smtp.client-ip=144.76.186.9 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=coker.com.au Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=coker.com.au Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=coker.com.au header.i=@coker.com.au header.b="pC6Xz4mC" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1782821357; bh=psftUBjv71CPNfXH58DUN2RIv6i2oDucN8zASDzH1b4=; l=4390; h=From:To:Subject:Date:From; b=pC6Xz4mCPt+5NOoURAyE9684ybxMovuZNSe6woyIYoHIQH6zjV7uxzR9r06I7bfgD OE0XKgkAhBcm7vyQBxK5J6DNKxlz0x9B2Vw9JbkiY8o0Xgk7IwK47yrF97mAQ1/auk NiasUwVAodpdSZsLhI5p5fl5QYc7izqTSa1y/8Ow= Received: from liv.coker.com.au (unknown [IPv6:2001:4479:6706:1e00:5b25:5c6d:bad2:791]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (prime256v1) server-digest SHA256) (No client certificate requested) (Authenticated sender: russell@coker.com.au) by smtp.sws.net.au (Postfix) with ESMTPSA id 7AEFFF203 for ; Tue, 30 Jun 2026 22:09:15 +1000 (AEST) From: Russell Coker To: selinux-refpolicy@vger.kernel.org Subject: DirtyClone etc Date: Tue, 30 Jun 2026 22:09:34 +1000 Message-ID: <3639982.SvYEEZNnvj@dojacat> Precedence: bulk X-Mailing-List: selinux-refpolicy@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="utf-8" https://research.jfrog.com/post/dissecting-and-exploiting-linux-lpe-variant-dirtyclone-cve-2026-43503/ This is the latest kernel exploit which relies on creating a container with "unshare -Urn" or "bwrap --bind / / --unshare-user --unshare-net --uid 0 --gid 0 /bin/bash" and having self:cap_userns net_admin access in that container. Should we have some neverallow rules for accessing such capabilities that work in a similar way to the ones for accessing memory_device_t, security_t, and shadow_t? Below are the domains that have such access in the Debian policy (a moderately modified version of refpolicy) with the unconfined module removed. # sesearch -A -c cap_userns -p net_admin allow container_engine_t container_engine_t:cap_userns { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config }; allow container_init_t container_init_t:cap_userns { chown dac_override dac_read_search fowner kill net_admin net_bind_service net_raw setgid setuid }; allow container_kvm_t container_kvm_t:cap_userns { chown dac_override dac_read_search fowner kill net_admin net_bind_service net_raw setgid setuid }; allow container_t container_t:cap_userns { chown dac_override dac_read_search fowner kill net_admin net_bind_service net_raw setgid setuid }; allow crio_t crio_t:cap_userns { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config }; allow dockerd_t dockerd_t:cap_userns { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config }; allow dockerd_user_t dockerd_user_t:cap_userns { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config }; allow init_t init_t:cap_userns { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid sys_admin sys_boot sys_chroot sys_module sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config }; allow iptables_t iptables_t:cap_userns { net_admin net_raw }; allow podman_t podman_t:cap_userns { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config }; allow podman_user_t podman_user_t:cap_userns { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config }; allow spc_t spc_t:cap_userns { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin net_bind_service net_raw setgid setpcap setuid sys_admin sys_chroot sys_nice sys_ptrace sys_rawio sys_resource }; allow spc_user_t spc_user_t:cap_userns { chown dac_override dac_read_search fowner kill net_admin net_bind_service net_raw setgid setuid }; allow staff_bubblewrap_t staff_bubblewrap_t:cap_userns { dac_override net_admin setpcap sys_admin sys_ptrace }; allow sysadm_bubblewrap_t sysadm_bubblewrap_t:cap_userns { dac_override net_admin setpcap sys_admin sys_ptrace }; allow user_bubblewrap_t user_bubblewrap_t:cap_userns { dac_override net_admin setpcap sys_admin sys_ptrace }; -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/