[PATCH] libvirt: fix CVE-2021-3631

* [PATCH] libvirt: fix CVE-2021-3631
@ 2021-09-10  9:11 Zhang, Qiang
  2021-09-16 22:09 ` Bruce Ashfield
  0 siblings, 1 reply; 2+ messages in thread
From: Zhang, Qiang @ 2021-09-10  9:11 UTC (permalink / raw)
  To: bruce.ashfield; +Cc: meta-virtualization

From: Zqiang <qiang.zhang@windriver.com>

Selinux MCS generate a single category context and may
be accessed by another machine.

link: https://gitlab.com/libvirt/libvirt/-/issues/153

Signed-off-by: Zqiang <qiang.zhang@windriver.com>
---
 ...y-fix-SELinux-label-generation-logic.patch | 54 +++++++++++++++++++
 recipes-extended/libvirt/libvirt_7.2.0.bb     |  1 +
 2 files changed, 55 insertions(+)
 create mode 100644 recipes-extended/libvirt/libvirt/0001-security-fix-SELinux-label-generation-logic.patch

diff --git a/recipes-extended/libvirt/libvirt/0001-security-fix-SELinux-label-generation-logic.patch b/recipes-extended/libvirt/libvirt/0001-security-fix-SELinux-label-generation-logic.patch
new file mode 100644
index 00000000..e8952c36
--- /dev/null
+++ b/recipes-extended/libvirt/libvirt/0001-security-fix-SELinux-label-generation-logic.patch
@@ -0,0 +1,54 @@
+From 15073504dbb624d3f6c911e85557019d3620fdb2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Mon, 28 Jun 2021 13:09:04 +0100
+Subject: [PATCH] security: fix SELinux label generation logic
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+A process can access a file if the set of MCS categories
+for the file is equal-to *or* a subset-of, the set of
+MCS categories for the process.
+
+If there are two VMs:
+
+  a) svirt_t:s0:c117
+  b) svirt_t:s0:c117,c720
+
+Then VM (b) is able to access files labelled for VM (a).
+
+IOW, we must discard case where the categories are equal
+because that is a subset of many other valid category pairs.
+
+Fixes: https://gitlab.com/libvirt/libvirt/-/issues/153
+CVE-2021-3631
+Reviewed-by: Peter Krempa <pkrempa@redhat.com>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+---
+ src/security/security_selinux.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
+index b50f4463cc..0c2cf1d1c7 100644
+--- a/src/security/security_selinux.c
++++ b/src/security/security_selinux.c
+@@ -383,7 +383,15 @@ virSecuritySELinuxMCSFind(virSecurityManager *mgr,
+         VIR_DEBUG("Try cat %s:c%d,c%d", sens, c1 + catMin, c2 + catMin);
+ 
+         if (c1 == c2) {
+-            mcs = g_strdup_printf("%s:c%d", sens, catMin + c1);
++            /*
++             * A process can access a file if the set of MCS categories
++             * for the file is equal-to *or* a subset-of, the set of
++             * MCS categories for the process.
++             *
++             * IOW, we must discard case where the categories are equal
++             * because that is a subset of other category pairs.
++             */
++            continue;
+         } else {
+             if (c1 > c2) {
+                 int t = c1;
+-- 
+2.17.1
+
diff --git a/recipes-extended/libvirt/libvirt_7.2.0.bb b/recipes-extended/libvirt/libvirt_7.2.0.bb
index 9cf29511..b7f8383a 100644
--- a/recipes-extended/libvirt/libvirt_7.2.0.bb
+++ b/recipes-extended/libvirt/libvirt_7.2.0.bb
@@ -29,6 +29,7 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \
            file://hook_support.py \
            file://gnutls-helper.py \
            file://0002-meson-Fix-compatibility-with-Meson-0.58.patch \
+           file://0001-security-fix-SELinux-label-generation-logic.patch \
           "
 
 SRC_URI[libvirt.md5sum] = "92044b629216e44adce63224970a54a3"
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 2+ messages in thread