PING google.com (172.217.20.78) 56(84) bytes of data.
64 bytes from ams15s33-in-f14.1e100.net (172.217.20.78): icmp_seq=1 ttl=51 time=339 ms
...
$ ps -Z 27666
LABEL PID TTY STAT TIME COMMAND
unconfined 27666 pts/4 T 0:00 ping google.com
This behavior matches what is expected for an unconfined user executing their own tasks but is incorrect for applications crossing an unsafe cred boundary.
A proper fix for this is going to require a kernel fix that updates state throughout the bprm search and a userspace component that adds a new component conditional to allow policy to better control transitions around setuid binaries.
After investigating this issue further we have determined this is a high priority issue that is also trivial to exploit with the change_profile api
$ aa-exec -vp unconfined -- ping google.com onexec( "unconfined" )
aa_change_
exec ping google.com
pid: 27666
PING google.com (172.217.20.78) 56(84) bytes of data. in-f14. 1e100.net (172.217.20.78): icmp_seq=1 ttl=51 time=339 ms
64 bytes from ams15s33-
...
$ ps -Z 27666
LABEL PID TTY STAT TIME COMMAND
unconfined 27666 pts/4 T 0:00 ping google.com
This behavior matches what is expected for an unconfined user executing their own tasks but is incorrect for applications crossing an unsafe cred boundary.
A proper fix for this is going to require a kernel fix that updates state throughout the bprm search and a userspace component that adds a new component conditional to allow policy to better control transitions around setuid binaries.