[PATCH 14/36] cmd/snap-confine: Remove execute permission from AppArmor profile

The snap-confine AppArmor profile cargo-culted a work-around for the
handling of encryptfs encrypted home directories from the AppArmor
base abstraction. Unfortunately this includes permission to execute
arbitrary binaries from within the user's Private home directory
and so could be used to trick snap-confine to execute arbitrary
user-controlled binaries, which when combined with other flaws in
snap-confine could then be used to try and escape confinement.

Signed-off-by: Alex Murray <alex.murray@canonical.com>
Gbp-Pq: Topic cve202144730
Gbp-Pq: Name 0014-cmd-snap-confine-Remove-execute-permission-from-AppA.patch

diff --git a/cmd/snap-confine/snap-confine.apparmor.in b/cmd/snap-confine/snap-confine.apparmor.in
index 6ba07753b74e6986bd26aec6d135f0996e01cb11..a0940f42d41a9108b31ab6ab867423912e8146cd 100644 (file)
--- a/cmd/snap-confine/snap-confine.apparmor.in
+++ b/cmd/snap-confine/snap-confine.apparmor.in
@@ -338,10 +338,10 @@
     # stacked filesystems generally.
     # encrypted ~/.Private and old-style encrypted $HOME
     @{HOME}/.Private/ r,
-    @{HOME}/.Private/** mrixwlk,
+    @{HOME}/.Private/** mrwlk,
     # new-style encrypted $HOME
     @{HOMEDIRS}/.ecryptfs/*/.Private/ r,
-    @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk,
+    @{HOMEDIRS}/.ecryptfs/*/.Private/** mrwlk,
 
     # Allow snap-confine to move to the void
     /var/lib/snapd/void/ r,