Bug 832725 (CVE-2022-0492)

From https://marc.info/?l=oss-security&m=164399879422272&w=4:

"It has been discovered that under certain circumstances, the Linux kernel's
cgroups v1 release_agent feature can be used to escalate privilege and
bypass namespace isolation unexpectedly.

CVE-2022-0492 has been assigned to this issue, which is corrected by
requiring CAP_SYS_ADMIN in the initial user namespace when setting
release_agent. This has been included upstream in commit
24f6008564183aa120d07c03d9289519c2fe02af."

From https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=24f6008564183aa120d07c03d9289519c2fe02af:

"The cgroup release_agent is called with call_usermodehelper.  The function
call_usermodehelper starts the release_agent with a full set fo capabilities.
Therefore require capabilities when setting the release_agaent."

AIUI, that means anyone who can call cgroup_release_agent_write can end up with all capabilities, prior to the fix?

Some minor spelunking showed that cgroup_release_agent_write appeared in more-or-less its current form in 2008. So any Linux kernel from v2.6.26 onward, with CONFIG_CGROUPS, may be vulnerable?