ironpenguin:open_questions
The changes introduced in Ironpenguin open a few questions for security restrictions in the kernel.
- Since the chroot system call can no longer be used to break out of a previous chroot, does it still need to be restricted to processes with CAP_SYS_CHROOT?
- Given the exploit explained in capability notes should the capceiling and jail calls require a capability for now? If so, should there be a sysctl to remove that restriction (or set it)?
- What capability should be required to set an fscap? Arguably, SETPCAP is appropriate, but would call for modufying the kernel to allow it to exist. Perhaps a process should only be allowed to set caps it currently has? It stands to reason that a process capable of setting an fscap can easily gain that capability for itself anyway.
ironpenguin/open_questions.txt · Last modified: by 127.0.0.1