|
|
ab145e |
From 0f7c8a271f07b3f9aff07dd814d7bec80ddac362 Mon Sep 17 00:00:00 2001
|
|
|
ab145e |
Message-Id: <0f7c8a271f07b3f9aff07dd814d7bec80ddac362@dist-git>
|
|
|
ab145e |
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
|
|
|
ab145e |
Date: Wed, 28 Jul 2021 14:59:00 +0200
|
|
|
ab145e |
Subject: [PATCH] security: fix SELinux label generation logic
|
|
|
ab145e |
MIME-Version: 1.0
|
|
|
ab145e |
Content-Type: text/plain; charset=UTF-8
|
|
|
ab145e |
Content-Transfer-Encoding: 8bit
|
|
|
ab145e |
|
|
|
ab145e |
A process can access a file if the set of MCS categories
|
|
|
ab145e |
for the file is equal-to *or* a subset-of, the set of
|
|
|
ab145e |
MCS categories for the process.
|
|
|
ab145e |
|
|
|
ab145e |
If there are two VMs:
|
|
|
ab145e |
|
|
|
ab145e |
a) svirt_t:s0:c117
|
|
|
ab145e |
b) svirt_t:s0:c117,c720
|
|
|
ab145e |
|
|
|
ab145e |
Then VM (b) is able to access files labelled for VM (a).
|
|
|
ab145e |
|
|
|
ab145e |
IOW, we must discard case where the categories are equal
|
|
|
ab145e |
because that is a subset of many other valid category pairs.
|
|
|
ab145e |
|
|
|
ab145e |
Fixes: https://gitlab.com/libvirt/libvirt/-/issues/153
|
|
|
ab145e |
CVE-2021-3631
|
|
|
ab145e |
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
|
|
|
ab145e |
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
|
|
|
ab145e |
(cherry picked from commit 15073504dbb624d3f6c911e85557019d3620fdb2)
|
|
|
ab145e |
Message-Id: <38c6a7b570b8eb2114d9f1ff0c84a8346e01472f.1627476632.git.pkrempa@redhat.com>
|
|
|
ab145e |
Reviewed-by: Ján Tomko <jtomko@redhat.com>
|
|
|
ab145e |
---
|
|
|
ab145e |
src/security/security_selinux.c | 10 +++++++++-
|
|
|
ab145e |
1 file changed, 9 insertions(+), 1 deletion(-)
|
|
|
ab145e |
|
|
|
ab145e |
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
|
|
|
ab145e |
index 985c7eda1a..93fae831ca 100644
|
|
|
ab145e |
--- a/src/security/security_selinux.c
|
|
|
ab145e |
+++ b/src/security/security_selinux.c
|
|
|
ab145e |
@@ -391,7 +391,15 @@ virSecuritySELinuxMCSFind(virSecurityManagerPtr mgr,
|
|
|
ab145e |
VIR_DEBUG("Try cat %s:c%d,c%d", sens, c1 + catMin, c2 + catMin);
|
|
|
ab145e |
|
|
|
ab145e |
if (c1 == c2) {
|
|
|
ab145e |
- mcs = g_strdup_printf("%s:c%d", sens, catMin + c1);
|
|
|
ab145e |
+ /*
|
|
|
ab145e |
+ * A process can access a file if the set of MCS categories
|
|
|
ab145e |
+ * for the file is equal-to *or* a subset-of, the set of
|
|
|
ab145e |
+ * MCS categories for the process.
|
|
|
ab145e |
+ *
|
|
|
ab145e |
+ * IOW, we must discard case where the categories are equal
|
|
|
ab145e |
+ * because that is a subset of other category pairs.
|
|
|
ab145e |
+ */
|
|
|
ab145e |
+ continue;
|
|
|
ab145e |
} else {
|
|
|
ab145e |
if (c1 > c2) {
|
|
|
ab145e |
int t = c1;
|
|
|
ab145e |
--
|
|
|
ab145e |
2.32.0
|
|
|
ab145e |
|