From 5bd183d836b478321b58d99e2fc361f8d7646fc6 Mon Sep 17 00:00:00 2001 From: Alex Murray Date: Wed, 17 Nov 2021 14:43:41 +1030 Subject: [PATCH] [PATCH 14/36] cmd/snap-confine: Remove execute permission from AppArmor profile The snap-confine AppArmor profile cargo-culted a work-around for the handling of encryptfs encrypted home directories from the AppArmor base abstraction. Unfortunately this includes permission to execute arbitrary binaries from within the user's Private home directory and so could be used to trick snap-confine to execute arbitrary user-controlled binaries, which when combined with other flaws in snap-confine could then be used to try and escape confinement. Signed-off-by: Alex Murray Gbp-Pq: Topic cve202144730 Gbp-Pq: Name 0014-cmd-snap-confine-Remove-execute-permission-from-AppA.patch --- cmd/snap-confine/snap-confine.apparmor.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cmd/snap-confine/snap-confine.apparmor.in b/cmd/snap-confine/snap-confine.apparmor.in index 6ba07753..a0940f42 100644 --- a/cmd/snap-confine/snap-confine.apparmor.in +++ b/cmd/snap-confine/snap-confine.apparmor.in @@ -338,10 +338,10 @@ # stacked filesystems generally. # encrypted ~/.Private and old-style encrypted $HOME @{HOME}/.Private/ r, - @{HOME}/.Private/** mrixwlk, + @{HOME}/.Private/** mrwlk, # new-style encrypted $HOME @{HOMEDIRS}/.ecryptfs/*/.Private/ r, - @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk, + @{HOMEDIRS}/.ecryptfs/*/.Private/** mrwlk, # Allow snap-confine to move to the void /var/lib/snapd/void/ r, -- 2.30.2