Patch under way.
Here are the annotations I identified so far with exec capabilities:
hypervisor.path hypervisor.jailer_path hypervisor.ctlpath hypervisor.virtio_fs_daemon
Not confirmed yet, but likely a risk: proxy.path shim.path netmon.path
Additionally, no exec but system file overwrite capabilities:
hypervisor.vhost_user_store_path hypervisor.file_mem_backend
Patch under way.
Here are the annotations I identified so far with exec capabilities:
hypervisor.path jailer_ path virtio_ fs_daemon
hypervisor.
hypervisor.ctlpath
hypervisor.
Not confirmed yet, but likely a risk:
proxy.path
shim.path
netmon.path
Additionally, no exec but system file overwrite capabilities:
hypervisor. vhost_user_ store_path file_mem_ backend
hypervisor.