From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from markus.defensec.nl (markus.defensec.nl [45.80.168.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E2D6A40B6E2 for ; Tue, 30 Jun 2026 12:41:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=45.80.168.93 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782823263; cv=none; b=ivYrDyoDszaOtrq+0gmfOC5n7fTmQaOyDevVUsWIU73q9+Gb/SQBC1EdWShI628o0xupFwTITzPLgl0U0hoeKTQkEW6QtZjQgqc+DQOK7/DsLl77D1zdqqJfeIQ1HgNsAtj7EnrlwC5sEX20zIPrV46NxvNoW7mADFnc8yLc/60= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782823263; c=relaxed/simple; bh=3kpPeaSUBWpxZybMQEOccSKKf/GLRuIzTJO1o6vpy1M=; h=From:To:Cc:Subject:In-Reply-To:References:Date:Message-ID: MIME-Version:Content-Type; b=SaCGmY7Ug6k56RprQZG6UkMIkYa+dTwNJYfPKC5p80VXSzbSYWCq/9Suf5Hat2IbniCSj2/SkSFfd/n8C65dUo5WhJTt7iVploJ1+vf6TmeiT/VafPUqTR4c1d6r4CeV5DCsHlXI4bvdxa36zTJwgXhh5YELiQC4fiD2xnc9tGA= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=defensec.nl; spf=pass smtp.mailfrom=defensec.nl; dkim=pass (1024-bit key) header.d=defensec.nl header.i=@defensec.nl header.b=TK72mmv7; arc=none smtp.client-ip=45.80.168.93 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=defensec.nl Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=defensec.nl Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=defensec.nl header.i=@defensec.nl header.b="TK72mmv7" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=defensec.nl; s=default; t=1782823253; bh=3kpPeaSUBWpxZybMQEOccSKKf/GLRuIzTJO1o6vpy1M=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=TK72mmv7KvvliYYWlj3gO/noeR82kt3GWlS6OuZ7xHjwToEU/Z7Y2VZyPfG0Wg7b/ aj1EvDihRmO1tIElb9kj1NTlGCbcW25OLnI524iLm1LTaRssUCmAUYp01Uc2zVABl+ WxQUzCp9Ld7VmwUE09evdqyBFa1SgwF5CuLcl2q4= Received: from nimbus (nimbus.defensec.nl [IPv6:2a10:3781:2099::514]) by markus.defensec.nl (Postfix) with ESMTPSA id 8C84C2B34BA; Tue, 30 Jun 2026 14:40:53 +0200 (CEST) From: Dominick Grift To: Russell Coker Cc: selinux-refpolicy@vger.kernel.org Subject: Re: DirtyClone etc In-Reply-To: <3639982.SvYEEZNnvj@dojacat> (Russell Coker's message of "Tue, 30 Jun 2026 22:09:34 +1000") References: <3639982.SvYEEZNnvj@dojacat> Date: Tue, 30 Jun 2026 14:40:52 +0200 Message-ID: <87h5mkp5ez.fsf@defensec.nl> User-Agent: Gnus/5.13 (Gnus v5.13) Precedence: bulk X-Mailing-List: selinux-refpolicy@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain Russell Coker writes: > https://research.jfrog.com/post/dissecting-and-exploiting-linux-lpe-variant-dirtyclone-cve-2026-43503/ > > This is the latest kernel exploit which relies on creating a container with > "unshare -Urn" or "bwrap --bind / / --unshare-user --unshare-net --uid 0 --gid > 0 /bin/bash" and having self:cap_userns net_admin access in that container. > > Should we have some neverallow rules for accessing such capabilities that work > in a similar way to the ones for accessing memory_device_t, security_t, and > shadow_t? Looks like one in a long line of bugs related to kernel.unprivileged_userns_clone If blocking that access would mitigate without breaking functionality then I would be sympathetic but if for example we remove it from podman_user_t then thats bound to break. Fix is also in the pipeline and I doubt a policy update would arrive quicker to many than Linux 7.2 I would instead suggest using the JFrog mitigation advice and if when individuals have access to recent SELinux then they can customise and tailor it easily: echo '(deny podman_user_t self (cap_userns (net_admin)))' >mytest.cil && sudo semodule -i mytest.cil I think quite a few people pay quite close attention to that kernel.unprivileged_userns_clone sysctl setting and are well aware of the dangers of enabling and using it. SELinux can do a lot of handy things but in the end, at least to me, its access control used to enforce the principle of least privilege, confidentiality or separation. > > Below are the domains that have such access in the Debian policy (a moderately > modified version of refpolicy) with the unconfined module removed. > > # sesearch -A -c cap_userns -p net_admin > allow container_engine_t container_engine_t:cap_userns { audit_write chown > dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease > linux_immutable mknod net_admin net_bind_service net_raw setfcap setgid > setpcap setuid sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace > sys_rawio sys_resource sys_time sys_tty_config }; > allow container_init_t container_init_t:cap_userns { chown dac_override > dac_read_search fowner kill net_admin net_bind_service net_raw setgid setuid > }; > allow container_kvm_t container_kvm_t:cap_userns { chown dac_override > dac_read_search fowner kill net_admin net_bind_service net_raw setgid setuid > }; > allow container_t container_t:cap_userns { chown dac_override dac_read_search > fowner kill net_admin net_bind_service net_raw setgid setuid }; > allow crio_t crio_t:cap_userns { audit_write chown dac_override > dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable > mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid > sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace sys_rawio > sys_resource sys_time sys_tty_config }; > allow dockerd_t dockerd_t:cap_userns { audit_write chown dac_override > dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable > mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid > sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace sys_rawio > sys_resource sys_time sys_tty_config }; > allow dockerd_user_t dockerd_user_t:cap_userns { audit_write chown > dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease > linux_immutable mknod net_admin net_bind_service net_raw setfcap setgid > setpcap setuid sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace > sys_rawio sys_resource sys_time sys_tty_config }; > allow init_t init_t:cap_userns { audit_write chown dac_override > dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable > mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid > sys_admin sys_boot sys_chroot sys_module sys_nice sys_pacct sys_ptrace > sys_rawio sys_resource sys_time sys_tty_config }; > allow iptables_t iptables_t:cap_userns { net_admin net_raw }; > allow podman_t podman_t:cap_userns { audit_write chown dac_override > dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable > mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid > sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace sys_rawio > sys_resource sys_time sys_tty_config }; > allow podman_user_t podman_user_t:cap_userns { audit_write chown dac_override > dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable > mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid > sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace sys_rawio > sys_resource sys_time sys_tty_config }; > allow spc_t spc_t:cap_userns { audit_write chown dac_override dac_read_search > fowner fsetid ipc_lock kill mknod net_admin net_bind_service net_raw setgid > setpcap setuid sys_admin sys_chroot sys_nice sys_ptrace sys_rawio sys_resource > }; > allow spc_user_t spc_user_t:cap_userns { chown dac_override dac_read_search > fowner kill net_admin net_bind_service net_raw setgid setuid }; > allow staff_bubblewrap_t staff_bubblewrap_t:cap_userns { dac_override > net_admin setpcap sys_admin sys_ptrace }; > allow sysadm_bubblewrap_t sysadm_bubblewrap_t:cap_userns { dac_override > net_admin setpcap sys_admin sys_ptrace }; > allow user_bubblewrap_t user_bubblewrap_t:cap_userns { dac_override net_admin > setpcap sys_admin sys_ptrace }; -- gpg --auto-key-locate clear,nodefault,wkd --locate-external-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 Dominick Grift Mastodon: @kcinimod@defensec.nl