1 files changed, 56 insertions, 0 deletions
diff --git a/recipes-extended/libvirt/libvirt/0001-security-fix-SELinux-label-generation-logic.patch b/recipes-extended/libvirt/libvirt/0001-security-fix-SELinux-label-generation-logic.patch
new file mode 100644
index 00000000..2753503d
--- /dev/null
+++ b/recipes-extended/libvirt/libvirt/0001-security-fix-SELinux-label-generation-logic.patch
@@ -0,0 +1,56 @@
+From 15073504dbb624d3f6c911e85557019d3620fdb2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Mon, 28 Jun 2021 13:09:04 +0100
+Subject: [PATCH] security: fix SELinux label generation logic
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+A process can access a file if the set of MCS categories
+for the file is equal-to *or* a subset-of, the set of
+MCS categories for the process.
+If there are two VMs:
+  a) svirt_t:s0:c117
+  b) svirt_t:s0:c117,c720
+Then VM (b) is able to access files labelled for VM (a).
+IOW, we must discard case where the categories are equal
+because that is a subset of many other valid category pairs.
+Upstream-status: Backport
+Fixes: https://gitlab.com/libvirt/libvirt/-/issues/153
+CVE-2021-3631
+Reviewed-by: Peter Krempa <pkrempa@redhat.com>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+---
+ src/security/security_selinux.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
+index b50f4463cc..0c2cf1d1c7 100644
+--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
+@@ -383,7 +383,15 @@ virSecuritySELinuxMCSFind(virSecurityManager *mgr,
+         VIR_DEBUG("Try cat %s:c%d,c%d", sens, c1 + catMin, c2 + catMin);
+ 
+         if (c1 == c2) {
+-            mcs = g_strdup_printf("%s:c%d", sens, catMin + c1);
+            /*
+             * A process can access a file if the set of MCS categories
+             * for the file is equal-to *or* a subset-of, the set of
+             * MCS categories for the process.
+             *
+             * IOW, we must discard case where the categories are equal
+             * because that is a subset of other category pairs.
+             */
+            continue;
+         } else {
+             if (c1 > c2) {
+                 int t = c1;
+-- 
+2.17.1

diff --git a/recipes-extended/libvirt/libvirt/0001-security-fix-SELinux-label-generation-logic.patch b/recipes-extended/libvirt/libvirt/0001-security-fix-SELinux-label-generation-logic.patch new file mode 100644 index 00000000..2753503d --- /dev/null +++ b/recipes-extended/libvirt/libvirt/0001-security-fix-SELinux-label-generation-logic.patch
@@ -0,0 +1,56 @@
	1	From 15073504dbb624d3f6c911e85557019d3620fdb2 Mon Sep 17 00:00:00 2001
	2	From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
	3	Date: Mon, 28 Jun 2021 13:09:04 +0100
	4	Subject: [PATCH] security: fix SELinux label generation logic
	5	MIME-Version: 1.0
	6	Content-Type: text/plain; charset=UTF-8
	7	Content-Transfer-Encoding: 8bit
	8
	9	A process can access a file if the set of MCS categories
	10	for the file is equal-to or a subset-of, the set of
	11	MCS categories for the process.
	12
	13	If there are two VMs:
	14
	15	a) svirt_t:s0:c117
	16	b) svirt_t:s0:c117,c720
	17
	18	Then VM (b) is able to access files labelled for VM (a).
	19
	20	IOW, we must discard case where the categories are equal
	21	because that is a subset of many other valid category pairs.
	22
	23	Upstream-status: Backport
	24
	25	Fixes: https://gitlab.com/libvirt/libvirt/-/issues/153
	26	CVE-2021-3631
	27	Reviewed-by: Peter Krempa <pkrempa@redhat.com>
	28	Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
	29	---
	30	src/security/security_selinux.c \| 10 +++++++++-
	31	1 file changed, 9 insertions(+), 1 deletion(-)
	32
	33	diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
	34	index b50f4463cc..0c2cf1d1c7 100644
	35	--- a/src/security/security_selinux.c
	36	+++ b/src/security/security_selinux.c
	37	@@ -383,7 +383,15 @@ virSecuritySELinuxMCSFind(virSecurityManager *mgr,
	38	VIR_DEBUG("Try cat %s:c%d,c%d", sens, c1 + catMin, c2 + catMin);
	39
	40	if (c1 == c2) {
	41	- mcs = g_strdup_printf("%s:c%d", sens, catMin + c1);
	42	+ /*
	43	+ * A process can access a file if the set of MCS categories
	44	+ * for the file is equal-to or a subset-of, the set of
	45	+ * MCS categories for the process.
	46	+ *
	47	+ * IOW, we must discard case where the categories are equal
	48	+ * because that is a subset of other category pairs.
	49	+ */
	50	+ continue;
	51	} else {
	52	if (c1 > c2) {
	53	int t = c1;
	54	--
	55	2.17.1
	56