The changes introduced in Ironpenguin open a few questions for security restrictions in the kernel.
Since the chroot system call can no longer be used to break out of a previous chroot, does it still need to be restricted to processes with CAP_SYS_CHROOT?
Given the exploit explained in capability notes
should the capceiling
calls require a capability for now? If so, should there be a sysctl to remove that restriction (or set it)?
What capability should be required to set an fscap
? Arguably, SETPCAP
is appropriate, but would call for modufying the kernel to allow it to exist. Perhaps a process should only be allowed to set caps it currently has? It stands to reason that a process capable of setting an fscap can easily gain that capability for itself anyway.