That bug said that sqlite only uses fchown when running as root. OTOH I don’t recall when fchown policy for root was added, but it is in 2.27.6 which is in stable.
For other uses of the chown family of syscalls:
- the snapcraft preload part handles chown and lchown. It should probably be adjusted to handle fchown
- there is a PR up for review to change the seccomp denial behavior from kill to EPERM, which should make this less painful
- I’m actively working on more fully mediating the chown/setuid/setgid families of syscalls that will make this problem go away. This work will include policy that allows chowning and priv dropping to ‘daemon’ as well the calling user