From: Alex Murray Date: Wed, 17 Nov 2021 04:07:39 +0000 (+1030) Subject: [PATCH 13/36] cmd/libsnap-confine-private: Tighten AppArmor label check X-Git-Tag: archive/raspbian/2.37.4-1+rpi1+deb10u1^2~3 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=4bc615762fa4dbc024c45ea0663e6e95897f9ca6;p=snapd.git [PATCH 13/36] cmd/libsnap-confine-private: Tighten AppArmor label check Only consider snap-confine as confined by AppArmor when the AppArmor label matches an expected path location for the snap-confine binary, rather than just if the label is not "unconfined". This ensures snap-confine will fail to execute if it is executed under a more permissive AppArmor profile than expected. Signed-off-by: Alex Murray Gbp-Pq: Topic cve202144730 Gbp-Pq: Name 0013-cmd-libsnap-confine-private-Tighten-AppArmor-label-c.patch --- diff --git a/cmd/libsnap-confine-private/apparmor-support.c b/cmd/libsnap-confine-private/apparmor-support.c index 9930e421..a0f342f5 100644 --- a/cmd/libsnap-confine-private/apparmor-support.c +++ b/cmd/libsnap-confine-private/apparmor-support.c @@ -20,6 +20,7 @@ #endif #include "apparmor-support.h" +#include "utils.h" #include #include @@ -87,13 +88,13 @@ void sc_init_apparmor_support(struct sc_apparmor *apparmor) } debug("apparmor label on snap-confine is: %s", label); debug("apparmor mode is: %s", mode); - // The label has a special value "unconfined" that is applied to all - // processes without a dedicated profile. If that label is used then the - // current process is not confined. All other labels imply confinement. - if (label != NULL && strcmp(label, SC_AA_UNCONFINED_STR) == 0) { - apparmor->is_confined = false; - } else { + // expect to be confined by a profile with the name of a valid + // snap-confine binary since if not we may be executed under a + // profile with more permissions than expected + if (label != NULL && sc_is_expected_path(label)) { apparmor->is_confined = true; + } else { + apparmor->is_confined = false; } // There are several possible results for the confinement type (mode) that // are checked for below.