diff options
Diffstat (limited to 'recipes-extended/libvirt/libvirt/0001-security-fix-SELinux-label-generation-logic.patch')
-rw-r--r-- | recipes-extended/libvirt/libvirt/0001-security-fix-SELinux-label-generation-logic.patch | 56 |
1 files changed, 56 insertions, 0 deletions
diff --git a/recipes-extended/libvirt/libvirt/0001-security-fix-SELinux-label-generation-logic.patch b/recipes-extended/libvirt/libvirt/0001-security-fix-SELinux-label-generation-logic.patch new file mode 100644 index 00000000..2753503d --- /dev/null +++ b/recipes-extended/libvirt/libvirt/0001-security-fix-SELinux-label-generation-logic.patch | |||
@@ -0,0 +1,56 @@ | |||
1 | From 15073504dbb624d3f6c911e85557019d3620fdb2 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com> | ||
3 | Date: Mon, 28 Jun 2021 13:09:04 +0100 | ||
4 | Subject: [PATCH] security: fix SELinux label generation logic | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | A process can access a file if the set of MCS categories | ||
10 | for the file is equal-to *or* a subset-of, the set of | ||
11 | MCS categories for the process. | ||
12 | |||
13 | If there are two VMs: | ||
14 | |||
15 | a) svirt_t:s0:c117 | ||
16 | b) svirt_t:s0:c117,c720 | ||
17 | |||
18 | Then VM (b) is able to access files labelled for VM (a). | ||
19 | |||
20 | IOW, we must discard case where the categories are equal | ||
21 | because that is a subset of many other valid category pairs. | ||
22 | |||
23 | Upstream-status: Backport | ||
24 | |||
25 | Fixes: https://gitlab.com/libvirt/libvirt/-/issues/153 | ||
26 | CVE-2021-3631 | ||
27 | Reviewed-by: Peter Krempa <pkrempa@redhat.com> | ||
28 | Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> | ||
29 | --- | ||
30 | src/security/security_selinux.c | 10 +++++++++- | ||
31 | 1 file changed, 9 insertions(+), 1 deletion(-) | ||
32 | |||
33 | diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c | ||
34 | index b50f4463cc..0c2cf1d1c7 100644 | ||
35 | --- a/src/security/security_selinux.c | ||
36 | +++ b/src/security/security_selinux.c | ||
37 | @@ -383,7 +383,15 @@ virSecuritySELinuxMCSFind(virSecurityManager *mgr, | ||
38 | VIR_DEBUG("Try cat %s:c%d,c%d", sens, c1 + catMin, c2 + catMin); | ||
39 | |||
40 | if (c1 == c2) { | ||
41 | - mcs = g_strdup_printf("%s:c%d", sens, catMin + c1); | ||
42 | + /* | ||
43 | + * A process can access a file if the set of MCS categories | ||
44 | + * for the file is equal-to *or* a subset-of, the set of | ||
45 | + * MCS categories for the process. | ||
46 | + * | ||
47 | + * IOW, we must discard case where the categories are equal | ||
48 | + * because that is a subset of other category pairs. | ||
49 | + */ | ||
50 | + continue; | ||
51 | } else { | ||
52 | if (c1 > c2) { | ||
53 | int t = c1; | ||
54 | -- | ||
55 | 2.17.1 | ||
56 | |||