All of lore.kernel.org
 help / color / mirror / Atom feed
* DirtyClone etc
@ 2026-06-30 12:09 Russell Coker
  2026-06-30 12:40 ` Dominick Grift
  0 siblings, 1 reply; 2+ messages in thread
From: Russell Coker @ 2026-06-30 12:09 UTC (permalink / raw)
  To: selinux-refpolicy

https://research.jfrog.com/post/dissecting-and-exploiting-linux-lpe-variant-dirtyclone-cve-2026-43503/

This is the latest kernel exploit which relies on creating a container with 
"unshare -Urn" or "bwrap --bind / / --unshare-user --unshare-net --uid 0 --gid 
0 /bin/bash" and having self:cap_userns net_admin access in that container.  

Should we have some neverallow rules for accessing such capabilities that work 
in a similar way to the ones for accessing memory_device_t, security_t, and 
shadow_t?

Below are the domains that have such access in the Debian policy (a moderately 
modified version of refpolicy) with the unconfined module removed.

# sesearch -A -c cap_userns -p net_admin
allow container_engine_t container_engine_t:cap_userns { audit_write chown 
dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease 
linux_immutable mknod net_admin net_bind_service net_raw setfcap setgid 
setpcap setuid sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace 
sys_rawio sys_resource sys_time sys_tty_config };
allow container_init_t container_init_t:cap_userns { chown dac_override 
dac_read_search fowner kill net_admin net_bind_service net_raw setgid setuid 
};
allow container_kvm_t container_kvm_t:cap_userns { chown dac_override 
dac_read_search fowner kill net_admin net_bind_service net_raw setgid setuid 
};
allow container_t container_t:cap_userns { chown dac_override dac_read_search 
fowner kill net_admin net_bind_service net_raw setgid setuid };
allow crio_t crio_t:cap_userns { audit_write chown dac_override 
dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable 
mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid 
sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace sys_rawio 
sys_resource sys_time sys_tty_config };
allow dockerd_t dockerd_t:cap_userns { audit_write chown dac_override 
dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable 
mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid 
sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace sys_rawio 
sys_resource sys_time sys_tty_config };
allow dockerd_user_t dockerd_user_t:cap_userns { audit_write chown 
dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease 
linux_immutable mknod net_admin net_bind_service net_raw setfcap setgid 
setpcap setuid sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace 
sys_rawio sys_resource sys_time sys_tty_config };
allow init_t init_t:cap_userns { audit_write chown dac_override 
dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable 
mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid 
sys_admin sys_boot sys_chroot sys_module sys_nice sys_pacct sys_ptrace 
sys_rawio sys_resource sys_time sys_tty_config };
allow iptables_t iptables_t:cap_userns { net_admin net_raw };
allow podman_t podman_t:cap_userns { audit_write chown dac_override 
dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable 
mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid 
sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace sys_rawio 
sys_resource sys_time sys_tty_config };
allow podman_user_t podman_user_t:cap_userns { audit_write chown dac_override 
dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable 
mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid 
sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace sys_rawio 
sys_resource sys_time sys_tty_config };
allow spc_t spc_t:cap_userns { audit_write chown dac_override dac_read_search 
fowner fsetid ipc_lock kill mknod net_admin net_bind_service net_raw setgid 
setpcap setuid sys_admin sys_chroot sys_nice sys_ptrace sys_rawio sys_resource 
};
allow spc_user_t spc_user_t:cap_userns { chown dac_override dac_read_search 
fowner kill net_admin net_bind_service net_raw setgid setuid };
allow staff_bubblewrap_t staff_bubblewrap_t:cap_userns { dac_override 
net_admin setpcap sys_admin sys_ptrace };
allow sysadm_bubblewrap_t sysadm_bubblewrap_t:cap_userns { dac_override 
net_admin setpcap sys_admin sys_ptrace };
allow user_bubblewrap_t user_bubblewrap_t:cap_userns { dac_override net_admin 
setpcap sys_admin sys_ptrace };

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/




^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: DirtyClone etc
  2026-06-30 12:09 DirtyClone etc Russell Coker
@ 2026-06-30 12:40 ` Dominick Grift
  0 siblings, 0 replies; 2+ messages in thread
From: Dominick Grift @ 2026-06-30 12:40 UTC (permalink / raw)
  To: Russell Coker; +Cc: selinux-refpolicy

Russell Coker <russell@coker.com.au> writes:

> https://research.jfrog.com/post/dissecting-and-exploiting-linux-lpe-variant-dirtyclone-cve-2026-43503/
>
> This is the latest kernel exploit which relies on creating a container with 
> "unshare -Urn" or "bwrap --bind / / --unshare-user --unshare-net --uid 0 --gid 
> 0 /bin/bash" and having self:cap_userns net_admin access in that container.  
>
> Should we have some neverallow rules for accessing such capabilities that work 
> in a similar way to the ones for accessing memory_device_t, security_t, and 
> shadow_t?

Looks like one in a long line of bugs related to
kernel.unprivileged_userns_clone

If blocking that access would mitigate without breaking functionality
then I would be sympathetic but if for example we remove it from
podman_user_t then thats bound to break. Fix is also in the pipeline and
I doubt a policy update would arrive quicker to many than Linux 7.2

I would instead suggest using the JFrog mitigation advice and if when
individuals have access to recent SELinux then they can customise and
tailor it easily:

echo '(deny podman_user_t self (cap_userns (net_admin)))' >mytest.cil &&
sudo semodule -i mytest.cil

I think quite a few people pay quite close attention to that
kernel.unprivileged_userns_clone sysctl setting and are well aware of
the dangers of enabling and using it.

SELinux can do a lot of handy things but in the end, at least to me,
its access control used to enforce the principle of least privilege,
confidentiality or separation.


>
> Below are the domains that have such access in the Debian policy (a moderately 
> modified version of refpolicy) with the unconfined module removed.
>
> # sesearch -A -c cap_userns -p net_admin
> allow container_engine_t container_engine_t:cap_userns { audit_write chown 
> dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease 
> linux_immutable mknod net_admin net_bind_service net_raw setfcap setgid 
> setpcap setuid sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace 
> sys_rawio sys_resource sys_time sys_tty_config };
> allow container_init_t container_init_t:cap_userns { chown dac_override 
> dac_read_search fowner kill net_admin net_bind_service net_raw setgid setuid 
> };
> allow container_kvm_t container_kvm_t:cap_userns { chown dac_override 
> dac_read_search fowner kill net_admin net_bind_service net_raw setgid setuid 
> };
> allow container_t container_t:cap_userns { chown dac_override dac_read_search 
> fowner kill net_admin net_bind_service net_raw setgid setuid };
> allow crio_t crio_t:cap_userns { audit_write chown dac_override 
> dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable 
> mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid 
> sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace sys_rawio 
> sys_resource sys_time sys_tty_config };
> allow dockerd_t dockerd_t:cap_userns { audit_write chown dac_override 
> dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable 
> mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid 
> sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace sys_rawio 
> sys_resource sys_time sys_tty_config };
> allow dockerd_user_t dockerd_user_t:cap_userns { audit_write chown 
> dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease 
> linux_immutable mknod net_admin net_bind_service net_raw setfcap setgid 
> setpcap setuid sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace 
> sys_rawio sys_resource sys_time sys_tty_config };
> allow init_t init_t:cap_userns { audit_write chown dac_override 
> dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable 
> mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid 
> sys_admin sys_boot sys_chroot sys_module sys_nice sys_pacct sys_ptrace 
> sys_rawio sys_resource sys_time sys_tty_config };
> allow iptables_t iptables_t:cap_userns { net_admin net_raw };
> allow podman_t podman_t:cap_userns { audit_write chown dac_override 
> dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable 
> mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid 
> sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace sys_rawio 
> sys_resource sys_time sys_tty_config };
> allow podman_user_t podman_user_t:cap_userns { audit_write chown dac_override 
> dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable 
> mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid 
> sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace sys_rawio 
> sys_resource sys_time sys_tty_config };
> allow spc_t spc_t:cap_userns { audit_write chown dac_override dac_read_search 
> fowner fsetid ipc_lock kill mknod net_admin net_bind_service net_raw setgid 
> setpcap setuid sys_admin sys_chroot sys_nice sys_ptrace sys_rawio sys_resource 
> };
> allow spc_user_t spc_user_t:cap_userns { chown dac_override dac_read_search 
> fowner kill net_admin net_bind_service net_raw setgid setuid };
> allow staff_bubblewrap_t staff_bubblewrap_t:cap_userns { dac_override 
> net_admin setpcap sys_admin sys_ptrace };
> allow sysadm_bubblewrap_t sysadm_bubblewrap_t:cap_userns { dac_override 
> net_admin setpcap sys_admin sys_ptrace };
> allow user_bubblewrap_t user_bubblewrap_t:cap_userns { dac_override net_admin 
> setpcap sys_admin sys_ptrace };

-- 
gpg --auto-key-locate clear,nodefault,wkd --locate-external-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
Dominick Grift
Mastodon: @kcinimod@defensec.nl

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-06-30 12:41 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-30 12:09 DirtyClone etc Russell Coker
2026-06-30 12:40 ` Dominick Grift

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.