CVE Request: seunshare and setexeccon issues

[Andy Lutomirski <luto () amacapital net>]

I think that the fallout for the seunshare stuff is now
well-understood enough for CVE requests.

As previously discussed, some combinations of seunshare and libcap-ng
can allow sendmail capabilities bug-style privilege escalation.  This
was cased by capng_lock enabling securebits without using
PR_SET_NO_NEW_PRIVS.  This seems to be fixed in the latest cap-ng.*
That fixes causes a regression in policycoreutils' sandbox program;
the fix for that regression is making its way upstream.

The related issue is that Linux will silently ignore setexeccon if the
subsequent execve call runs something from a nosuid mount.  This can
cause unexpected failures to enforce SELinux policy.  This is probably
a low-impact issue.  Changes to fix this issue have been discussed,
but no patch has been sent yet.

The latter issue causes using policycoreutils' sandbox tool on a
binary that is on a nosuid mount to fail open; no error will be
reported, but the sandbox policy will not be enforced.  This is worked
around in Fedora and related distros as a side effect of the
regression fix for the capng_lock issue.

I'm not sure how many CVE numbers should be assigned here.  As far as
I know, none have been assigned so far.


* Combinations of new cap-ng and very old kernels may still be unsafe.

--Andy