diff options
author | Zqiang <qiang.zhang@windriver.com> | 2021-09-10 17:11:54 +0800 |
---|---|---|
committer | Bruce Ashfield <bruce.ashfield@gmail.com> | 2021-09-16 18:08:46 -0400 |
commit | 0644e808ace09f753ccd462332033e1eacd85960 (patch) | |
tree | 820f391dc3748ca66c1bca7cce2ab4b488d234f8 /recipes-extended/libvirt | |
parent | e250a8940a6f088287019fb89a82784844241e8b (diff) | |
download | meta-virtualization-0644e808ace09f753ccd462332033e1eacd85960.tar.gz |
libvirt: fix CVE-2021-3631
Selinux MCS generate a single category context and may
be accessed by another machine.
link: https://gitlab.com/libvirt/libvirt/-/issues/153
Signed-off-by: Zqiang <qiang.zhang@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Diffstat (limited to 'recipes-extended/libvirt')
-rw-r--r-- | recipes-extended/libvirt/libvirt/0001-security-fix-SELinux-label-generation-logic.patch | 56 | ||||
-rw-r--r-- | recipes-extended/libvirt/libvirt_7.2.0.bb | 1 |
2 files changed, 57 insertions, 0 deletions
diff --git a/recipes-extended/libvirt/libvirt/0001-security-fix-SELinux-label-generation-logic.patch b/recipes-extended/libvirt/libvirt/0001-security-fix-SELinux-label-generation-logic.patch new file mode 100644 index 00000000..2753503d --- /dev/null +++ b/recipes-extended/libvirt/libvirt/0001-security-fix-SELinux-label-generation-logic.patch | |||
@@ -0,0 +1,56 @@ | |||
1 | From 15073504dbb624d3f6c911e85557019d3620fdb2 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com> | ||
3 | Date: Mon, 28 Jun 2021 13:09:04 +0100 | ||
4 | Subject: [PATCH] security: fix SELinux label generation logic | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | A process can access a file if the set of MCS categories | ||
10 | for the file is equal-to *or* a subset-of, the set of | ||
11 | MCS categories for the process. | ||
12 | |||
13 | If there are two VMs: | ||
14 | |||
15 | a) svirt_t:s0:c117 | ||
16 | b) svirt_t:s0:c117,c720 | ||
17 | |||
18 | Then VM (b) is able to access files labelled for VM (a). | ||
19 | |||
20 | IOW, we must discard case where the categories are equal | ||
21 | because that is a subset of many other valid category pairs. | ||
22 | |||
23 | Upstream-status: Backport | ||
24 | |||
25 | Fixes: https://gitlab.com/libvirt/libvirt/-/issues/153 | ||
26 | CVE-2021-3631 | ||
27 | Reviewed-by: Peter Krempa <pkrempa@redhat.com> | ||
28 | Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> | ||
29 | --- | ||
30 | src/security/security_selinux.c | 10 +++++++++- | ||
31 | 1 file changed, 9 insertions(+), 1 deletion(-) | ||
32 | |||
33 | diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c | ||
34 | index b50f4463cc..0c2cf1d1c7 100644 | ||
35 | --- a/src/security/security_selinux.c | ||
36 | +++ b/src/security/security_selinux.c | ||
37 | @@ -383,7 +383,15 @@ virSecuritySELinuxMCSFind(virSecurityManager *mgr, | ||
38 | VIR_DEBUG("Try cat %s:c%d,c%d", sens, c1 + catMin, c2 + catMin); | ||
39 | |||
40 | if (c1 == c2) { | ||
41 | - mcs = g_strdup_printf("%s:c%d", sens, catMin + c1); | ||
42 | + /* | ||
43 | + * A process can access a file if the set of MCS categories | ||
44 | + * for the file is equal-to *or* a subset-of, the set of | ||
45 | + * MCS categories for the process. | ||
46 | + * | ||
47 | + * IOW, we must discard case where the categories are equal | ||
48 | + * because that is a subset of other category pairs. | ||
49 | + */ | ||
50 | + continue; | ||
51 | } else { | ||
52 | if (c1 > c2) { | ||
53 | int t = c1; | ||
54 | -- | ||
55 | 2.17.1 | ||
56 | |||
diff --git a/recipes-extended/libvirt/libvirt_7.2.0.bb b/recipes-extended/libvirt/libvirt_7.2.0.bb index 9cf29511..b7f8383a 100644 --- a/recipes-extended/libvirt/libvirt_7.2.0.bb +++ b/recipes-extended/libvirt/libvirt_7.2.0.bb | |||
@@ -29,6 +29,7 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \ | |||
29 | file://hook_support.py \ | 29 | file://hook_support.py \ |
30 | file://gnutls-helper.py \ | 30 | file://gnutls-helper.py \ |
31 | file://0002-meson-Fix-compatibility-with-Meson-0.58.patch \ | 31 | file://0002-meson-Fix-compatibility-with-Meson-0.58.patch \ |
32 | file://0001-security-fix-SELinux-label-generation-logic.patch \ | ||
32 | " | 33 | " |
33 | 34 | ||
34 | SRC_URI[libvirt.md5sum] = "92044b629216e44adce63224970a54a3" | 35 | SRC_URI[libvirt.md5sum] = "92044b629216e44adce63224970a54a3" |