In message: [PATCH] libvirt: fix CVE-2021-3631 on 10/09/2021 [email protected] wrote:
> From: Zqiang <[email protected]> > > Selinux MCS generate a single category context and may > be accessed by another machine. > > link: https://gitlab.com/libvirt/libvirt/-/issues/153 > > Signed-off-by: Zqiang <[email protected]> > --- > ...y-fix-SELinux-label-generation-logic.patch | 54 +++++++++++++++++++ > recipes-extended/libvirt/libvirt_7.2.0.bb | 1 + > 2 files changed, 55 insertions(+) > create mode 100644 > recipes-extended/libvirt/libvirt/0001-security-fix-SELinux-label-generation-logic.patch > > diff --git > a/recipes-extended/libvirt/libvirt/0001-security-fix-SELinux-label-generation-logic.patch > > b/recipes-extended/libvirt/libvirt/0001-security-fix-SELinux-label-generation-logic.patch > new file mode 100644 > index 00000000..e8952c36 > --- /dev/null > +++ > b/recipes-extended/libvirt/libvirt/0001-security-fix-SELinux-label-generation-logic.patch > @@ -0,0 +1,54 @@ > +From 15073504dbb624d3f6c911e85557019d3620fdb2 Mon Sep 17 00:00:00 2001 > +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <[email protected]> > +Date: Mon, 28 Jun 2021 13:09:04 +0100 > +Subject: [PATCH] security: fix SELinux label generation logic > +MIME-Version: 1.0 > +Content-Type: text/plain; charset=UTF-8 > +Content-Transfer-Encoding: 8bit > + > +A process can access a file if the set of MCS categories > +for the file is equal-to *or* a subset-of, the set of > +MCS categories for the process. > + > +If there are two VMs: > + > + a) svirt_t:s0:c117 > + b) svirt_t:s0:c117,c720 > + > +Then VM (b) is able to access files labelled for VM (a). > + > +IOW, we must discard case where the categories are equal > +because that is a subset of many other valid category pairs. > + > +Fixes: https://gitlab.com/libvirt/libvirt/-/issues/153 > +CVE-2021-3631 > +Reviewed-by: Peter Krempa <[email protected]> > +Signed-off-by: Daniel P. Berrangé <[email protected]> > +--- > + src/security/security_selinux.c | 10 +++++++++- > + 1 file changed, 9 insertions(+), 1 deletion(-) > + > +diff --git a/src/security/security_selinux.c > b/src/security/security_selinux.c > +index b50f4463cc..0c2cf1d1c7 100644 > +--- a/src/security/security_selinux.c > ++++ b/src/security/security_selinux.c > +@@ -383,7 +383,15 @@ virSecuritySELinuxMCSFind(virSecurityManager *mgr, > + VIR_DEBUG("Try cat %s:c%d,c%d", sens, c1 + catMin, c2 + catMin); > + > + if (c1 == c2) { > +- mcs = g_strdup_printf("%s:c%d", sens, catMin + c1); > ++ /* > ++ * A process can access a file if the set of MCS categories > ++ * for the file is equal-to *or* a subset-of, the set of > ++ * MCS categories for the process. > ++ * > ++ * IOW, we must discard case where the categories are equal > ++ * because that is a subset of other category pairs. > ++ */ > ++ continue; > + } else { > + if (c1 > c2) { > + int t = c1; > +-- > +2.17.1 > + > diff --git a/recipes-extended/libvirt/libvirt_7.2.0.bb > b/recipes-extended/libvirt/libvirt_7.2.0.bb > index 9cf29511..b7f8383a 100644 > --- a/recipes-extended/libvirt/libvirt_7.2.0.bb > +++ b/recipes-extended/libvirt/libvirt_7.2.0.bb > @@ -29,6 +29,7 @@ SRC_URI = > "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \ > file://hook_support.py \ > file://gnutls-helper.py \ > file://0002-meson-Fix-compatibility-with-Meson-0.58.patch \ > + file://0001-security-fix-SELinux-label-generation-logic.patch \ We could also just uprev libvirt, but this close to the release, I've opted to just apply this patch. The patch itself was missing an Upstream-status field, so I've added that as part of the merge. Bruce > " > > SRC_URI[libvirt.md5sum] = "92044b629216e44adce63224970a54a3" > -- > 2.17.1 >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#6784): https://lists.yoctoproject.org/g/meta-virtualization/message/6784 Mute This Topic: https://lists.yoctoproject.org/mt/85505006/21656 Group Owner: [email protected] Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
