commit: b2b5270fcce158aedf71a5be0b2fa15822ecb069 Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au> AuthorDate: Thu Oct 5 11:13:54 2023 +0000 Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org> CommitDate: Fri Oct 6 15:31:45 2023 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b2b5270f
https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/ While cgroups2 doesn't have the "feature" of having the kernel run a program specified in the cgroup the history of this exploit suggests that writing to cgroups should be restricted and not granted to all users Signed-off-by: Russell Coker <russell <AT> coker.com.au> Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org> policy/modules/system/userdomain.if | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 642da35cd..676a76241 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -690,7 +690,7 @@ template(`userdom_common_user_template',` files_watch_etc_dirs($1_t) files_watch_usr_dirs($1_t) - fs_rw_cgroup_files($1_t) + fs_read_cgroup_files($1_t) # cjp: some of this probably can be removed selinux_get_fs_mount($1_t)
