John, I know there are plans for FD delegation and properly mediating
this but I wonder if there is any use for a 'file_inherit' rule that is
perhaps just very coarse and would allow inheriting the fd. It does seem
like this could provide a means of sandbox escape though since a(n
unprivileged) process could open something, then launch the (in this
case, setuid) confined executable and snap-confine would have access to
it. For the case of snap-confine, we only really need for snap-confine
to pass through the fd to what it launches, not actually be able to use
it....
** Changed in: apparmor
Status: New => Confirmed
** Changed in: apparmor
Importance: Undecided => Medium
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1849753
Title:
AppArmor profile prohibits classic snap from inheriting file
descriptors
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1849753/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
