From 572b1f8099c05e2840ae66d52d8bee8e547bad39 Mon Sep 17 00:00:00 2001
From: "Andrew G. Morgan" <morgan@kernel.org>
Date: Sun, 16 May 2021 15:46:13 -0700
Subject: Validate that user namespaces require CAP_SETFCAP to map UID=0.

I found this corner case privilege escalation in December 2020.
Now that it is fixed upstream and widely deployed, add a test
so we don't regress.

[If you find 'make sutotest' fails for you, you should upgrade
your kernel.]

Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
---
 progs/capshdoc.h | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'progs')

diff --git a/progs/capshdoc.h b/progs/capshdoc.h
index efe4797..79953b3 100644
--- a/progs/capshdoc.h
+++ b/progs/capshdoc.h
@@ -276,6 +276,11 @@ static const char *explanation30[] = {  /* cap_audit_control = 30 */
 };
 static const char *explanation31[] = {  /* cap_setfcap = 31 */
     "Allows a process to set capabilities on files.",
+    "Permits a process to uid_map the uid=0 of the",
+    "parent user namespace into that of the child",
+    "namespace. Also, permits a process to override",
+    "securebits locks through user namespace",
+    "creation.",
     NULL
 };
 static const char *explanation32[] = {  /* cap_mac_override = 32 */
-- 
cgit v1.2.1