Comment 2 for bug 1792595

After investigating this issue further we have determined this is a high priority issue that is also trivial to exploit with the change_profile api

$ aa-exec -vp unconfined -- ping google.com
aa_change_onexec("unconfined")
exec ping google.com
pid: 27666

PING google.com (172.217.20.78) 56(84) bytes of data.
64 bytes from ams15s33-in-f14.1e100.net (172.217.20.78): icmp_seq=1 ttl=51 time=339 ms
...

$ ps -Z 27666
LABEL PID TTY STAT TIME COMMAND
unconfined 27666 pts/4 T 0:00 ping google.com

This behavior matches what is expected for an unconfined user executing their own tasks but is incorrect for applications crossing an unsafe cred boundary.

A proper fix for this is going to require a kernel fix that updates state throughout the bprm search and a userspace component that adds a new component conditional to allow policy to better control transitions around setuid binaries.