59 lines
2.1 KiB
Diff
59 lines
2.1 KiB
Diff
From 0f7c8a271f07b3f9aff07dd814d7bec80ddac362 Mon Sep 17 00:00:00 2001
|
|
Message-Id: <0f7c8a271f07b3f9aff07dd814d7bec80ddac362@dist-git>
|
|
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
|
|
Date: Wed, 28 Jul 2021 14:59:00 +0200
|
|
Subject: [PATCH] security: fix SELinux label generation logic
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
A process can access a file if the set of MCS categories
|
|
for the file is equal-to *or* a subset-of, the set of
|
|
MCS categories for the process.
|
|
|
|
If there are two VMs:
|
|
|
|
a) svirt_t:s0:c117
|
|
b) svirt_t:s0:c117,c720
|
|
|
|
Then VM (b) is able to access files labelled for VM (a).
|
|
|
|
IOW, we must discard case where the categories are equal
|
|
because that is a subset of many other valid category pairs.
|
|
|
|
Fixes: https://gitlab.com/libvirt/libvirt/-/issues/153
|
|
CVE-2021-3631
|
|
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
|
|
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
|
|
(cherry picked from commit 15073504dbb624d3f6c911e85557019d3620fdb2)
|
|
Message-Id: <38c6a7b570b8eb2114d9f1ff0c84a8346e01472f.1627476632.git.pkrempa@redhat.com>
|
|
Reviewed-by: Ján Tomko <jtomko@redhat.com>
|
|
---
|
|
src/security/security_selinux.c | 10 +++++++++-
|
|
1 file changed, 9 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
|
|
index 985c7eda1a..93fae831ca 100644
|
|
--- a/src/security/security_selinux.c
|
|
+++ b/src/security/security_selinux.c
|
|
@@ -391,7 +391,15 @@ virSecuritySELinuxMCSFind(virSecurityManagerPtr mgr,
|
|
VIR_DEBUG("Try cat %s:c%d,c%d", sens, c1 + catMin, c2 + catMin);
|
|
|
|
if (c1 == c2) {
|
|
- mcs = g_strdup_printf("%s:c%d", sens, catMin + c1);
|
|
+ /*
|
|
+ * A process can access a file if the set of MCS categories
|
|
+ * for the file is equal-to *or* a subset-of, the set of
|
|
+ * MCS categories for the process.
|
|
+ *
|
|
+ * IOW, we must discard case where the categories are equal
|
|
+ * because that is a subset of other category pairs.
|
|
+ */
|
|
+ continue;
|
|
} else {
|
|
if (c1 > c2) {
|
|
int t = c1;
|
|
--
|
|
2.32.0
|
|
|