[PATCH 13/36] cmd/libsnap-confine-private: Tighten AppArmor label check

Only consider snap-confine as confined by AppArmor when the AppArmor label
matches an expected path location for the snap-confine binary, rather than
just if the label is not "unconfined". This ensures snap-confine will fail
to execute if it is executed under a more permissive AppArmor profile than
expected.

Signed-off-by: Alex Murray <alex.murray@canonical.com>
Gbp-Pq: Topic cve202144730
Gbp-Pq: Name 0013-cmd-libsnap-confine-private-Tighten-AppArmor-label-c.patch

diff --git a/cmd/libsnap-confine-private/apparmor-support.c b/cmd/libsnap-confine-private/apparmor-support.c
index 9930e4216888b11274617f86356be37bda25a7b3..a0f342f53853a527cee2554fe82d12a2d871e114 100644 (file)
--- a/cmd/libsnap-confine-private/apparmor-support.c
+++ b/cmd/libsnap-confine-private/apparmor-support.c
@@ -20,6 +20,7 @@
 #endif
 
 #include "apparmor-support.h"
+#include "utils.h"
 
 #include <string.h>
 #include <errno.h>
@@ -87,13 +88,13 @@ void sc_init_apparmor_support(struct sc_apparmor *apparmor)
        }
        debug("apparmor label on snap-confine is: %s", label);
        debug("apparmor mode is: %s", mode);
-       // The label has a special value "unconfined" that is applied to all
-       // processes without a dedicated profile. If that label is used then the
-       // current process is not confined. All other labels imply confinement.
-       if (label != NULL && strcmp(label, SC_AA_UNCONFINED_STR) == 0) {
-               apparmor->is_confined = false;
-       } else {
+       // expect to be confined by a profile with the name of a valid
+       // snap-confine binary since if not we may be executed under a
+       // profile with more permissions than expected
+       if (label != NULL && sc_is_expected_path(label)) {
                apparmor->is_confined = true;
+       } else {
+               apparmor->is_confined = false;
        }
        // There are several possible results for the confinement type (mode) that
        // are checked for below.