File 15073504-CVE-2021-3631.patch of Package libvirt.21389
commit 15073504dbb624d3f6c911e85557019d3620fdb2
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: Mon Jun 28 13:09:04 2021 +0100
security: fix SELinux label generation logic
A process can access a file if the set of MCS categories
for the file is equal-to *or* a subset-of, the set of
MCS categories for the process.
If there are two VMs:
a) svirt_t:s0:c117
b) svirt_t:s0:c117,c720
Then VM (b) is able to access files labelled for VM (a).
IOW, we must discard case where the categories are equal
because that is a subset of many other valid category pairs.
Fixes: https://gitlab.com/libvirt/libvirt/-/issues/153
CVE-2021-3631
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Index: libvirt-6.0.0/src/security/security_selinux.c
===================================================================
--- libvirt-6.0.0.orig/src/security/security_selinux.c
+++ libvirt-6.0.0/src/security/security_selinux.c
@@ -377,7 +377,15 @@ virSecuritySELinuxMCSFind(virSecurityMan
VIR_DEBUG("Try cat %s:c%d,c%d", sens, c1 + catMin, c2 + catMin);
if (c1 == c2) {
- mcs = g_strdup_printf("%s:c%d", sens, catMin + c1);
+ /*
+ * A process can access a file if the set of MCS categories
+ * for the file is equal-to *or* a subset-of, the set of
+ * MCS categories for the process.
+ *
+ * IOW, we must discard case where the categories are equal
+ * because that is a subset of other category pairs.
+ */
+ continue;
} else {
if (c1 > c2) {
int t = c1;