From: Dominick Grift <dominick.grift@defensec.nl>
To: Russell Coker <russell@coker.com.au>
Cc: selinux-refpolicy@vger.kernel.org
Subject: Re: DirtyClone etc
Date: Tue, 30 Jun 2026 14:40:52 +0200 [thread overview]
Message-ID: <87h5mkp5ez.fsf@defensec.nl> (raw)
In-Reply-To: <3639982.SvYEEZNnvj@dojacat> (Russell Coker's message of "Tue, 30 Jun 2026 22:09:34 +1000")
Russell Coker <russell@coker.com.au> writes:
> https://research.jfrog.com/post/dissecting-and-exploiting-linux-lpe-variant-dirtyclone-cve-2026-43503/
>
> This is the latest kernel exploit which relies on creating a container with
> "unshare -Urn" or "bwrap --bind / / --unshare-user --unshare-net --uid 0 --gid
> 0 /bin/bash" and having self:cap_userns net_admin access in that container.
>
> Should we have some neverallow rules for accessing such capabilities that work
> in a similar way to the ones for accessing memory_device_t, security_t, and
> shadow_t?
Looks like one in a long line of bugs related to
kernel.unprivileged_userns_clone
If blocking that access would mitigate without breaking functionality
then I would be sympathetic but if for example we remove it from
podman_user_t then thats bound to break. Fix is also in the pipeline and
I doubt a policy update would arrive quicker to many than Linux 7.2
I would instead suggest using the JFrog mitigation advice and if when
individuals have access to recent SELinux then they can customise and
tailor it easily:
echo '(deny podman_user_t self (cap_userns (net_admin)))' >mytest.cil &&
sudo semodule -i mytest.cil
I think quite a few people pay quite close attention to that
kernel.unprivileged_userns_clone sysctl setting and are well aware of
the dangers of enabling and using it.
SELinux can do a lot of handy things but in the end, at least to me,
its access control used to enforce the principle of least privilege,
confidentiality or separation.
>
> Below are the domains that have such access in the Debian policy (a moderately
> modified version of refpolicy) with the unconfined module removed.
>
> # sesearch -A -c cap_userns -p net_admin
> allow container_engine_t container_engine_t:cap_userns { audit_write chown
> dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease
> linux_immutable mknod net_admin net_bind_service net_raw setfcap setgid
> setpcap setuid sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace
> sys_rawio sys_resource sys_time sys_tty_config };
> allow container_init_t container_init_t:cap_userns { chown dac_override
> dac_read_search fowner kill net_admin net_bind_service net_raw setgid setuid
> };
> allow container_kvm_t container_kvm_t:cap_userns { chown dac_override
> dac_read_search fowner kill net_admin net_bind_service net_raw setgid setuid
> };
> allow container_t container_t:cap_userns { chown dac_override dac_read_search
> fowner kill net_admin net_bind_service net_raw setgid setuid };
> allow crio_t crio_t:cap_userns { audit_write chown dac_override
> dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable
> mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid
> sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace sys_rawio
> sys_resource sys_time sys_tty_config };
> allow dockerd_t dockerd_t:cap_userns { audit_write chown dac_override
> dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable
> mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid
> sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace sys_rawio
> sys_resource sys_time sys_tty_config };
> allow dockerd_user_t dockerd_user_t:cap_userns { audit_write chown
> dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease
> linux_immutable mknod net_admin net_bind_service net_raw setfcap setgid
> setpcap setuid sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace
> sys_rawio sys_resource sys_time sys_tty_config };
> allow init_t init_t:cap_userns { audit_write chown dac_override
> dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable
> mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid
> sys_admin sys_boot sys_chroot sys_module sys_nice sys_pacct sys_ptrace
> sys_rawio sys_resource sys_time sys_tty_config };
> allow iptables_t iptables_t:cap_userns { net_admin net_raw };
> allow podman_t podman_t:cap_userns { audit_write chown dac_override
> dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable
> mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid
> sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace sys_rawio
> sys_resource sys_time sys_tty_config };
> allow podman_user_t podman_user_t:cap_userns { audit_write chown dac_override
> dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable
> mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid
> sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace sys_rawio
> sys_resource sys_time sys_tty_config };
> allow spc_t spc_t:cap_userns { audit_write chown dac_override dac_read_search
> fowner fsetid ipc_lock kill mknod net_admin net_bind_service net_raw setgid
> setpcap setuid sys_admin sys_chroot sys_nice sys_ptrace sys_rawio sys_resource
> };
> allow spc_user_t spc_user_t:cap_userns { chown dac_override dac_read_search
> fowner kill net_admin net_bind_service net_raw setgid setuid };
> allow staff_bubblewrap_t staff_bubblewrap_t:cap_userns { dac_override
> net_admin setpcap sys_admin sys_ptrace };
> allow sysadm_bubblewrap_t sysadm_bubblewrap_t:cap_userns { dac_override
> net_admin setpcap sys_admin sys_ptrace };
> allow user_bubblewrap_t user_bubblewrap_t:cap_userns { dac_override net_admin
> setpcap sys_admin sys_ptrace };
--
gpg --auto-key-locate clear,nodefault,wkd --locate-external-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
Dominick Grift
Mastodon: @kcinimod@defensec.nl
prev parent reply other threads:[~2026-06-30 12:41 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-30 12:09 DirtyClone etc Russell Coker
2026-06-30 12:40 ` Dominick Grift [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87h5mkp5ez.fsf@defensec.nl \
--to=dominick.grift@defensec.nl \
--cc=russell@coker.com.au \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.