libvirt: fix CVE-2021-3631

Selinux MCS generate a single category context and may be accessed by another machine. link: https://gitlab.com/libvirt/libvirt/-/issues/153 Signed-off-by: Zqiang <qiang.zhang@windriver.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
author: Zqiang <qiang.zhang@windriver.com> 2021-09-10 17:11:54 +0800
committer: Bruce Ashfield <bruce.ashfield@gmail.com> 2021-09-16 18:08:46 -0400
commit: 0644e808ace09f753ccd462332033e1eacd85960 (patch)
tree: 820f391dc3748ca66c1bca7cce2ab4b488d234f8 /recipes-extended/libvirt
parent: e250a8940a6f088287019fb89a82784844241e8b (diff)
download: meta-virtualization-0644e808ace09f753ccd462332033e1eacd85960.tar.gz
2 files changed, 57 insertions, 0 deletions
diff --git a/recipes-extended/libvirt/libvirt/0001-security-fix-SELinux-label-generation-logic.patch b/recipes-extended/libvirt/libvirt/0001-security-fix-SELinux-label-generation-logic.patch
new file mode 100644
index 00000000..2753503d
--- /dev/null
+++ b/recipes-extended/libvirt/libvirt/0001-security-fix-SELinux-label-generation-logic.patch
@@ -0,0 +1,56 @@
+From 15073504dbb624d3f6c911e85557019d3620fdb2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Mon, 28 Jun 2021 13:09:04 +0100
+Subject: [PATCH] security: fix SELinux label generation logic
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+A process can access a file if the set of MCS categories
+for the file is equal-to *or* a subset-of, the set of
+MCS categories for the process.
+If there are two VMs:
+  a) svirt_t:s0:c117
+  b) svirt_t:s0:c117,c720
+Then VM (b) is able to access files labelled for VM (a).
+IOW, we must discard case where the categories are equal
+because that is a subset of many other valid category pairs.
+Upstream-status: Backport
+Fixes: https://gitlab.com/libvirt/libvirt/-/issues/153
+CVE-2021-3631
+Reviewed-by: Peter Krempa <pkrempa@redhat.com>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+---
+ src/security/security_selinux.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
+index b50f4463cc..0c2cf1d1c7 100644
+--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
+@@ -383,7 +383,15 @@ virSecuritySELinuxMCSFind(virSecurityManager *mgr,
+         VIR_DEBUG("Try cat %s:c%d,c%d", sens, c1 + catMin, c2 + catMin);
+ 
+         if (c1 == c2) {
+-            mcs = g_strdup_printf("%s:c%d", sens, catMin + c1);
+            /*
+             * A process can access a file if the set of MCS categories
+             * for the file is equal-to *or* a subset-of, the set of
+             * MCS categories for the process.
+             *
+             * IOW, we must discard case where the categories are equal
+             * because that is a subset of other category pairs.
+             */
+            continue;
+         } else {
+             if (c1 > c2) {
+                 int t = c1;
+-- 
+2.17.1
diff --git a/recipes-extended/libvirt/libvirt_7.2.0.bb b/recipes-extended/libvirt/libvirt_7.2.0.bb
index 9cf29511..b7f8383a 100644
--- a/recipes-extended/libvirt/libvirt_7.2.0.bb
+++ b/recipes-extended/libvirt/libvirt_7.2.0.bb
@@ -29,6 +29,7 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \
           file://hook_support.py \
           file://gnutls-helper.py \
           file://0002-meson-Fix-compatibility-with-Meson-0.58.patch \
+           file://0001-security-fix-SELinux-label-generation-logic.patch \
          "
 SRC_URI[libvirt.md5sum] = "92044b629216e44adce63224970a54a3"
author	Zqiang <qiang.zhang@windriver.com>	2021-09-10 17:11:54 +0800
committer	Bruce Ashfield <bruce.ashfield@gmail.com>	2021-09-16 18:08:46 -0400
commit	0644e808ace09f753ccd462332033e1eacd85960 (patch)
tree	820f391dc3748ca66c1bca7cce2ab4b488d234f8 /recipes-extended/libvirt
parent	e250a8940a6f088287019fb89a82784844241e8b (diff)
download	meta-virtualization-0644e808ace09f753ccd462332033e1eacd85960.tar.gz

diff --git a/recipes-extended/libvirt/libvirt/0001-security-fix-SELinux-label-generation-logic.patch b/recipes-extended/libvirt/libvirt/0001-security-fix-SELinux-label-generation-logic.patch new file mode 100644 index 00000000..2753503d --- /dev/null +++ b/recipes-extended/libvirt/libvirt/0001-security-fix-SELinux-label-generation-logic.patch
@@ -0,0 +1,56 @@
		1	From 15073504dbb624d3f6c911e85557019d3620fdb2 Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
		3	Date: Mon, 28 Jun 2021 13:09:04 +0100
		4	Subject: [PATCH] security: fix SELinux label generation logic
		5	MIME-Version: 1.0
		6	Content-Type: text/plain; charset=UTF-8
		7	Content-Transfer-Encoding: 8bit
		8
		9	A process can access a file if the set of MCS categories
		10	for the file is equal-to or a subset-of, the set of
		11	MCS categories for the process.
		12
		13	If there are two VMs:
		14
		15	a) svirt_t:s0:c117
		16	b) svirt_t:s0:c117,c720
		17
		18	Then VM (b) is able to access files labelled for VM (a).
		19
		20	IOW, we must discard case where the categories are equal
		21	because that is a subset of many other valid category pairs.
		22
		23	Upstream-status: Backport
		24
		25	Fixes: https://gitlab.com/libvirt/libvirt/-/issues/153
		26	CVE-2021-3631
		27	Reviewed-by: Peter Krempa <pkrempa@redhat.com>
		28	Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
		29	---
		30	src/security/security_selinux.c \| 10 +++++++++-
		31	1 file changed, 9 insertions(+), 1 deletion(-)
		32
		33	diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
		34	index b50f4463cc..0c2cf1d1c7 100644
		35	--- a/src/security/security_selinux.c
		36	+++ b/src/security/security_selinux.c
		37	@@ -383,7 +383,15 @@ virSecuritySELinuxMCSFind(virSecurityManager *mgr,
		38	VIR_DEBUG("Try cat %s:c%d,c%d", sens, c1 + catMin, c2 + catMin);
		39
		40	if (c1 == c2) {
		41	- mcs = g_strdup_printf("%s:c%d", sens, catMin + c1);
		42	+ /*
		43	+ * A process can access a file if the set of MCS categories
		44	+ * for the file is equal-to or a subset-of, the set of
		45	+ * MCS categories for the process.
		46	+ *
		47	+ * IOW, we must discard case where the categories are equal
		48	+ * because that is a subset of other category pairs.
		49	+ */
		50	+ continue;
		51	} else {
		52	if (c1 > c2) {
		53	int t = c1;
		54	--
		55	2.17.1
		56


diff --git a/recipes-extended/libvirt/libvirt_7.2.0.bb b/recipes-extended/libvirt/libvirt_7.2.0.bb index 9cf29511..b7f8383a 100644 --- a/recipes-extended/libvirt/libvirt_7.2.0.bb +++ b/recipes-extended/libvirt/libvirt_7.2.0.bb
@@ -29,6 +29,7 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \
29	file://hook_support.py \	29	file://hook_support.py \
30	file://gnutls-helper.py \	30	file://gnutls-helper.py \
31	file://0002-meson-Fix-compatibility-with-Meson-0.58.patch \	31	file://0002-meson-Fix-compatibility-with-Meson-0.58.patch \
		32	file://0001-security-fix-SELinux-label-generation-logic.patch \
32	"	33	"
33		34
34	SRC_URI[libvirt.md5sum] = "92044b629216e44adce63224970a54a3"	35	SRC_URI[libvirt.md5sum] = "92044b629216e44adce63224970a54a3"