All of lore.kernel.org
 help / color / mirror / Atom feed
* DirtyClone etc
@ 2026-06-30 12:09 Russell Coker
  2026-06-30 12:40 ` Dominick Grift
  0 siblings, 1 reply; 2+ messages in thread
From: Russell Coker @ 2026-06-30 12:09 UTC (permalink / raw)
  To: selinux-refpolicy

https://research.jfrog.com/post/dissecting-and-exploiting-linux-lpe-variant-dirtyclone-cve-2026-43503/

This is the latest kernel exploit which relies on creating a container with 
"unshare -Urn" or "bwrap --bind / / --unshare-user --unshare-net --uid 0 --gid 
0 /bin/bash" and having self:cap_userns net_admin access in that container.  

Should we have some neverallow rules for accessing such capabilities that work 
in a similar way to the ones for accessing memory_device_t, security_t, and 
shadow_t?

Below are the domains that have such access in the Debian policy (a moderately 
modified version of refpolicy) with the unconfined module removed.

# sesearch -A -c cap_userns -p net_admin
allow container_engine_t container_engine_t:cap_userns { audit_write chown 
dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease 
linux_immutable mknod net_admin net_bind_service net_raw setfcap setgid 
setpcap setuid sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace 
sys_rawio sys_resource sys_time sys_tty_config };
allow container_init_t container_init_t:cap_userns { chown dac_override 
dac_read_search fowner kill net_admin net_bind_service net_raw setgid setuid 
};
allow container_kvm_t container_kvm_t:cap_userns { chown dac_override 
dac_read_search fowner kill net_admin net_bind_service net_raw setgid setuid 
};
allow container_t container_t:cap_userns { chown dac_override dac_read_search 
fowner kill net_admin net_bind_service net_raw setgid setuid };
allow crio_t crio_t:cap_userns { audit_write chown dac_override 
dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable 
mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid 
sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace sys_rawio 
sys_resource sys_time sys_tty_config };
allow dockerd_t dockerd_t:cap_userns { audit_write chown dac_override 
dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable 
mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid 
sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace sys_rawio 
sys_resource sys_time sys_tty_config };
allow dockerd_user_t dockerd_user_t:cap_userns { audit_write chown 
dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease 
linux_immutable mknod net_admin net_bind_service net_raw setfcap setgid 
setpcap setuid sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace 
sys_rawio sys_resource sys_time sys_tty_config };
allow init_t init_t:cap_userns { audit_write chown dac_override 
dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable 
mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid 
sys_admin sys_boot sys_chroot sys_module sys_nice sys_pacct sys_ptrace 
sys_rawio sys_resource sys_time sys_tty_config };
allow iptables_t iptables_t:cap_userns { net_admin net_raw };
allow podman_t podman_t:cap_userns { audit_write chown dac_override 
dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable 
mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid 
sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace sys_rawio 
sys_resource sys_time sys_tty_config };
allow podman_user_t podman_user_t:cap_userns { audit_write chown dac_override 
dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable 
mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid 
sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace sys_rawio 
sys_resource sys_time sys_tty_config };
allow spc_t spc_t:cap_userns { audit_write chown dac_override dac_read_search 
fowner fsetid ipc_lock kill mknod net_admin net_bind_service net_raw setgid 
setpcap setuid sys_admin sys_chroot sys_nice sys_ptrace sys_rawio sys_resource 
};
allow spc_user_t spc_user_t:cap_userns { chown dac_override dac_read_search 
fowner kill net_admin net_bind_service net_raw setgid setuid };
allow staff_bubblewrap_t staff_bubblewrap_t:cap_userns { dac_override 
net_admin setpcap sys_admin sys_ptrace };
allow sysadm_bubblewrap_t sysadm_bubblewrap_t:cap_userns { dac_override 
net_admin setpcap sys_admin sys_ptrace };
allow user_bubblewrap_t user_bubblewrap_t:cap_userns { dac_override net_admin 
setpcap sys_admin sys_ptrace };

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/




^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-06-30 12:41 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-30 12:09 DirtyClone etc Russell Coker
2026-06-30 12:40 ` Dominick Grift

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.