From: Alex Murray <alex.murray@canonical.com>
Date: Wed, 17 Nov 2021 04:13:41 +0000 (+1030)
Subject: [PATCH 14/36] cmd/snap-confine: Remove execute permission from AppArmor profile
X-Git-Tag: archive/raspbian/2.37.4-1+rpi1+deb10u1^2~2
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=5bd183d836b478321b58d99e2fc361f8d7646fc6;p=snapd.git

[PATCH 14/36] cmd/snap-confine: Remove execute permission from AppArmor profile

The snap-confine AppArmor profile cargo-culted a work-around for the
handling of encryptfs encrypted home directories from the AppArmor
base abstraction. Unfortunately this includes permission to execute
arbitrary binaries from within the user's Private home directory
and so could be used to trick snap-confine to execute arbitrary
user-controlled binaries, which when combined with other flaws in
snap-confine could then be used to try and escape confinement.

Signed-off-by: Alex Murray <alex.murray@canonical.com>

Gbp-Pq: Topic cve202144730
Gbp-Pq: Name 0014-cmd-snap-confine-Remove-execute-permission-from-AppA.patch
---

diff --git a/cmd/snap-confine/snap-confine.apparmor.in b/cmd/snap-confine/snap-confine.apparmor.in
index 6ba07753..a0940f42 100644
--- a/cmd/snap-confine/snap-confine.apparmor.in
+++ b/cmd/snap-confine/snap-confine.apparmor.in
@@ -338,10 +338,10 @@
     # stacked filesystems generally.
     # encrypted ~/.Private and old-style encrypted $HOME
     @{HOME}/.Private/ r,
-    @{HOME}/.Private/** mrixwlk,
+    @{HOME}/.Private/** mrwlk,
     # new-style encrypted $HOME
     @{HOMEDIRS}/.ecryptfs/*/.Private/ r,
-    @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk,
+    @{HOMEDIRS}/.ecryptfs/*/.Private/** mrwlk,
 
     # Allow snap-confine to move to the void
     /var/lib/snapd/void/ r,