[PATCH 14/36] cmd/snap-confine: Remove execute permission from AppArmor profile
The snap-confine AppArmor profile cargo-culted a work-around for the
handling of encryptfs encrypted home directories from the AppArmor
base abstraction. Unfortunately this includes permission to execute
arbitrary binaries from within the user's Private home directory
and so could be used to trick snap-confine to execute arbitrary
user-controlled binaries, which when combined with other flaws in
snap-confine could then be used to try and escape confinement.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
Gbp-Pq: Topic cve202144730
Gbp-Pq: Name 0014-cmd-snap-confine-Remove-execute-permission-from-AppA.patch
projects / snapd.git / commit