Comment 2 for bug 1877102

James Henstridge (jamesh) wrote :

Attached is a proposed fix for the vulnerability (at least the focal version). It connects to more hooks to prevent snaps from:
 * requesting the daemon quit
 * listing modules
 * loading modules
 * unloading modules
 * kill clients

It also updates some deprecated libsnapd-glib API usage. With this version installed, the "record-exploit.disable-security" command will fail. Other commands that will fail include:

    record-exploit.pactl list modules
    record-exploit.pactl load-module whatever
    record-exploit.pactl unload-module 1
    record-exploit.pactl exit

(there is no pactl command to test killing clients).