* [PATCH] libvirt: fix CVE-2021-3631
@ 2021-09-10 9:11 Zhang, Qiang
2021-09-16 22:09 ` Bruce Ashfield
0 siblings, 1 reply; 2+ messages in thread
From: Zhang, Qiang @ 2021-09-10 9:11 UTC (permalink / raw)
To: bruce.ashfield; +Cc: meta-virtualization
From: Zqiang <qiang.zhang@windriver.com>
Selinux MCS generate a single category context and may
be accessed by another machine.
link: https://gitlab.com/libvirt/libvirt/-/issues/153
Signed-off-by: Zqiang <qiang.zhang@windriver.com>
---
...y-fix-SELinux-label-generation-logic.patch | 54 +++++++++++++++++++
recipes-extended/libvirt/libvirt_7.2.0.bb | 1 +
2 files changed, 55 insertions(+)
create mode 100644 recipes-extended/libvirt/libvirt/0001-security-fix-SELinux-label-generation-logic.patch
diff --git a/recipes-extended/libvirt/libvirt/0001-security-fix-SELinux-label-generation-logic.patch b/recipes-extended/libvirt/libvirt/0001-security-fix-SELinux-label-generation-logic.patch
new file mode 100644
index 00000000..e8952c36
--- /dev/null
+++ b/recipes-extended/libvirt/libvirt/0001-security-fix-SELinux-label-generation-logic.patch
@@ -0,0 +1,54 @@
+From 15073504dbb624d3f6c911e85557019d3620fdb2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Mon, 28 Jun 2021 13:09:04 +0100
+Subject: [PATCH] security: fix SELinux label generation logic
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+A process can access a file if the set of MCS categories
+for the file is equal-to *or* a subset-of, the set of
+MCS categories for the process.
+
+If there are two VMs:
+
+ a) svirt_t:s0:c117
+ b) svirt_t:s0:c117,c720
+
+Then VM (b) is able to access files labelled for VM (a).
+
+IOW, we must discard case where the categories are equal
+because that is a subset of many other valid category pairs.
+
+Fixes: https://gitlab.com/libvirt/libvirt/-/issues/153
+CVE-2021-3631
+Reviewed-by: Peter Krempa <pkrempa@redhat.com>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+---
+ src/security/security_selinux.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
+index b50f4463cc..0c2cf1d1c7 100644
+--- a/src/security/security_selinux.c
++++ b/src/security/security_selinux.c
+@@ -383,7 +383,15 @@ virSecuritySELinuxMCSFind(virSecurityManager *mgr,
+ VIR_DEBUG("Try cat %s:c%d,c%d", sens, c1 + catMin, c2 + catMin);
+
+ if (c1 == c2) {
+- mcs = g_strdup_printf("%s:c%d", sens, catMin + c1);
++ /*
++ * A process can access a file if the set of MCS categories
++ * for the file is equal-to *or* a subset-of, the set of
++ * MCS categories for the process.
++ *
++ * IOW, we must discard case where the categories are equal
++ * because that is a subset of other category pairs.
++ */
++ continue;
+ } else {
+ if (c1 > c2) {
+ int t = c1;
+--
+2.17.1
+
diff --git a/recipes-extended/libvirt/libvirt_7.2.0.bb b/recipes-extended/libvirt/libvirt_7.2.0.bb
index 9cf29511..b7f8383a 100644
--- a/recipes-extended/libvirt/libvirt_7.2.0.bb
+++ b/recipes-extended/libvirt/libvirt_7.2.0.bb
@@ -29,6 +29,7 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \
file://hook_support.py \
file://gnutls-helper.py \
file://0002-meson-Fix-compatibility-with-Meson-0.58.patch \
+ file://0001-security-fix-SELinux-label-generation-logic.patch \
"
SRC_URI[libvirt.md5sum] = "92044b629216e44adce63224970a54a3"
--
2.17.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] libvirt: fix CVE-2021-3631
2021-09-10 9:11 [PATCH] libvirt: fix CVE-2021-3631 Zhang, Qiang
@ 2021-09-16 22:09 ` Bruce Ashfield
0 siblings, 0 replies; 2+ messages in thread
From: Bruce Ashfield @ 2021-09-16 22:09 UTC (permalink / raw)
To: qiang.zhang; +Cc: meta-virtualization
In message: [PATCH] libvirt: fix CVE-2021-3631
on 10/09/2021 qiang.zhang@windriver.com wrote:
> From: Zqiang <qiang.zhang@windriver.com>
>
> Selinux MCS generate a single category context and may
> be accessed by another machine.
>
> link: https://gitlab.com/libvirt/libvirt/-/issues/153
>
> Signed-off-by: Zqiang <qiang.zhang@windriver.com>
> ---
> ...y-fix-SELinux-label-generation-logic.patch | 54 +++++++++++++++++++
> recipes-extended/libvirt/libvirt_7.2.0.bb | 1 +
> 2 files changed, 55 insertions(+)
> create mode 100644 recipes-extended/libvirt/libvirt/0001-security-fix-SELinux-label-generation-logic.patch
>
> diff --git a/recipes-extended/libvirt/libvirt/0001-security-fix-SELinux-label-generation-logic.patch b/recipes-extended/libvirt/libvirt/0001-security-fix-SELinux-label-generation-logic.patch
> new file mode 100644
> index 00000000..e8952c36
> --- /dev/null
> +++ b/recipes-extended/libvirt/libvirt/0001-security-fix-SELinux-label-generation-logic.patch
> @@ -0,0 +1,54 @@
> +From 15073504dbb624d3f6c911e85557019d3620fdb2 Mon Sep 17 00:00:00 2001
> +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
> +Date: Mon, 28 Jun 2021 13:09:04 +0100
> +Subject: [PATCH] security: fix SELinux label generation logic
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +A process can access a file if the set of MCS categories
> +for the file is equal-to *or* a subset-of, the set of
> +MCS categories for the process.
> +
> +If there are two VMs:
> +
> + a) svirt_t:s0:c117
> + b) svirt_t:s0:c117,c720
> +
> +Then VM (b) is able to access files labelled for VM (a).
> +
> +IOW, we must discard case where the categories are equal
> +because that is a subset of many other valid category pairs.
> +
> +Fixes: https://gitlab.com/libvirt/libvirt/-/issues/153
> +CVE-2021-3631
> +Reviewed-by: Peter Krempa <pkrempa@redhat.com>
> +Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> +---
> + src/security/security_selinux.c | 10 +++++++++-
> + 1 file changed, 9 insertions(+), 1 deletion(-)
> +
> +diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
> +index b50f4463cc..0c2cf1d1c7 100644
> +--- a/src/security/security_selinux.c
> ++++ b/src/security/security_selinux.c
> +@@ -383,7 +383,15 @@ virSecuritySELinuxMCSFind(virSecurityManager *mgr,
> + VIR_DEBUG("Try cat %s:c%d,c%d", sens, c1 + catMin, c2 + catMin);
> +
> + if (c1 == c2) {
> +- mcs = g_strdup_printf("%s:c%d", sens, catMin + c1);
> ++ /*
> ++ * A process can access a file if the set of MCS categories
> ++ * for the file is equal-to *or* a subset-of, the set of
> ++ * MCS categories for the process.
> ++ *
> ++ * IOW, we must discard case where the categories are equal
> ++ * because that is a subset of other category pairs.
> ++ */
> ++ continue;
> + } else {
> + if (c1 > c2) {
> + int t = c1;
> +--
> +2.17.1
> +
> diff --git a/recipes-extended/libvirt/libvirt_7.2.0.bb b/recipes-extended/libvirt/libvirt_7.2.0.bb
> index 9cf29511..b7f8383a 100644
> --- a/recipes-extended/libvirt/libvirt_7.2.0.bb
> +++ b/recipes-extended/libvirt/libvirt_7.2.0.bb
> @@ -29,6 +29,7 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \
> file://hook_support.py \
> file://gnutls-helper.py \
> file://0002-meson-Fix-compatibility-with-Meson-0.58.patch \
> + file://0001-security-fix-SELinux-label-generation-logic.patch \
We could also just uprev libvirt, but this close to the release, I've opted
to just apply this patch.
The patch itself was missing an Upstream-status field, so I've added that
as part of the merge.
Bruce
> "
>
> SRC_URI[libvirt.md5sum] = "92044b629216e44adce63224970a54a3"
> --
> 2.17.1
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-09-16 22:09 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-10 9:11 [PATCH] libvirt: fix CVE-2021-3631 Zhang, Qiang
2021-09-16 22:09 ` Bruce Ashfield
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.