From e9f5c82763ee24af02f0cd787287365eda667532 Mon Sep 17 00:00:00 2001 From: Alex Murray Date: Wed, 17 Nov 2021 14:43:41 +1030 Subject: [PATCH] [PATCH 14/36] cmd/snap-confine: Remove execute permission from AppArmor profile The snap-confine AppArmor profile cargo-culted a work-around for the handling of encryptfs encrypted home directories from the AppArmor base abstraction. Unfortunately this includes permission to execute arbitrary binaries from within the user's Private home directory and so could be used to trick snap-confine to execute arbitrary user-controlled binaries, which when combined with other flaws in snap-confine could then be used to try and escape confinement. Signed-off-by: Alex Murray Gbp-Pq: Topic cve202144730 Gbp-Pq: Name 0014-cmd-snap-confine-Remove-execute-permission-from-AppA.patch --- cmd/snap-confine/snap-confine.apparmor.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cmd/snap-confine/snap-confine.apparmor.in b/cmd/snap-confine/snap-confine.apparmor.in index 6ba07753..a0940f42 100644 --- a/cmd/snap-confine/snap-confine.apparmor.in +++ b/cmd/snap-confine/snap-confine.apparmor.in @@ -338,10 +338,10 @@ # stacked filesystems generally. # encrypted ~/.Private and old-style encrypted $HOME @{HOME}/.Private/ r, - @{HOME}/.Private/** mrixwlk, + @{HOME}/.Private/** mrwlk, # new-style encrypted $HOME @{HOMEDIRS}/.ecryptfs/*/.Private/ r, - @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk, + @{HOMEDIRS}/.ecryptfs/*/.Private/** mrwlk, # Allow snap-confine to move to the void /var/lib/snapd/void/ r, -- 2.30.2