Comment 3 for bug 1878234

Patch under way.

Here are the annotations I identified so far with exec capabilities:

hypervisor.path
hypervisor.jailer_path
hypervisor.ctlpath
hypervisor.virtio_fs_daemon

Not confirmed yet, but likely a risk:
proxy.path
shim.path
netmon.path

Additionally, no exec but system file overwrite capabilities:

hypervisor.vhost_user_store_path
hypervisor.file_mem_backend