Validate that user namespaces require CAP_SETFCAP to map UID=0.

I found this corner case privilege escalation in December 2020. Now that it is fixed upstream and widely deployed, add a test so we don't regress. [If you find 'make sutotest' fails for you, you should upgrade your kernel.] Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
author: Andrew G. Morgan <morgan@kernel.org> 2021-05-16 15:46:13 -0700
committer: Andrew G. Morgan <morgan@kernel.org> 2021-05-16 16:15:28 -0700
commit: 572b1f8099c05e2840ae66d52d8bee8e547bad39 (patch)
tree: b1195d72340deebcf0f9e12e3c30a88ac150f60e /progs
parent: fe4c27de243b13973acff3cda2c8c8ff4a768855 (diff)
download: libcap2-572b1f8099c05e2840ae66d52d8bee8e547bad39.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/progs/capshdoc.h b/progs/capshdoc.h
index efe4797..79953b3 100644
--- a/progs/capshdoc.h
+++ b/progs/capshdoc.h
@@ -276,6 +276,11 @@ static const char *explanation30[] = {  /* cap_audit_control = 30 */
 };
 static const char *explanation31[] = {  /* cap_setfcap = 31 */
     "Allows a process to set capabilities on files.",
+    "Permits a process to uid_map the uid=0 of the",
+    "parent user namespace into that of the child",
+    "namespace. Also, permits a process to override",
+    "securebits locks through user namespace",
+    "creation.",
     NULL
 };
 static const char *explanation32[] = {  /* cap_mac_override = 32 */
author	Andrew G. Morgan <morgan@kernel.org>	2021-05-16 15:46:13 -0700
committer	Andrew G. Morgan <morgan@kernel.org>	2021-05-16 16:15:28 -0700
commit	572b1f8099c05e2840ae66d52d8bee8e547bad39 (patch)
tree	b1195d72340deebcf0f9e12e3c30a88ac150f60e /progs
parent	fe4c27de243b13973acff3cda2c8c8ff4a768855 (diff)
download	libcap2-572b1f8099c05e2840ae66d52d8bee8e547bad39.tar.gz