Re: [PATCH] libvirt: fix CVE-2021-3631

["Bruce Ashfield" <bruce.ashfield@gmail.com>]

In message: [PATCH] libvirt: fix CVE-2021-3631
on 10/09/2021 qiang.zhang@windriver.com wrote:

> From: Zqiang <qiang.zhang@windriver.com>
> 
> Selinux MCS generate a single category context and may
> be accessed by another machine.
> 
> link: https://gitlab.com/libvirt/libvirt/-/issues/153
> 
> Signed-off-by: Zqiang <qiang.zhang@windriver.com>
> ---
>  ...y-fix-SELinux-label-generation-logic.patch | 54 +++++++++++++++++++
>  recipes-extended/libvirt/libvirt_7.2.0.bb     |  1 +
>  2 files changed, 55 insertions(+)
>  create mode 100644 recipes-extended/libvirt/libvirt/0001-security-fix-SELinux-label-generation-logic.patch
> 
> diff --git a/recipes-extended/libvirt/libvirt/0001-security-fix-SELinux-label-generation-logic.patch b/recipes-extended/libvirt/libvirt/0001-security-fix-SELinux-label-generation-logic.patch
> new file mode 100644
> index 00000000..e8952c36
> --- /dev/null
> +++ b/recipes-extended/libvirt/libvirt/0001-security-fix-SELinux-label-generation-logic.patch
> @@ -0,0 +1,54 @@
> +From 15073504dbb624d3f6c911e85557019d3620fdb2 Mon Sep 17 00:00:00 2001
> +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
> +Date: Mon, 28 Jun 2021 13:09:04 +0100
> +Subject: [PATCH] security: fix SELinux label generation logic
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +A process can access a file if the set of MCS categories
> +for the file is equal-to *or* a subset-of, the set of
> +MCS categories for the process.
> +
> +If there are two VMs:
> +
> +  a) svirt_t:s0:c117
> +  b) svirt_t:s0:c117,c720
> +
> +Then VM (b) is able to access files labelled for VM (a).
> +
> +IOW, we must discard case where the categories are equal
> +because that is a subset of many other valid category pairs.
> +
> +Fixes: https://gitlab.com/libvirt/libvirt/-/issues/153
> +CVE-2021-3631
> +Reviewed-by: Peter Krempa <pkrempa@redhat.com>
> +Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> +---
> + src/security/security_selinux.c | 10 +++++++++-
> + 1 file changed, 9 insertions(+), 1 deletion(-)
> +
> +diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
> +index b50f4463cc..0c2cf1d1c7 100644
> +--- a/src/security/security_selinux.c
> ++++ b/src/security/security_selinux.c
> +@@ -383,7 +383,15 @@ virSecuritySELinuxMCSFind(virSecurityManager *mgr,
> +         VIR_DEBUG("Try cat %s:c%d,c%d", sens, c1 + catMin, c2 + catMin);
> + 
> +         if (c1 == c2) {
> +-            mcs = g_strdup_printf("%s:c%d", sens, catMin + c1);
> ++            /*
> ++             * A process can access a file if the set of MCS categories
> ++             * for the file is equal-to *or* a subset-of, the set of
> ++             * MCS categories for the process.
> ++             *
> ++             * IOW, we must discard case where the categories are equal
> ++             * because that is a subset of other category pairs.
> ++             */
> ++            continue;
> +         } else {
> +             if (c1 > c2) {
> +                 int t = c1;
> +-- 
> +2.17.1
> +
> diff --git a/recipes-extended/libvirt/libvirt_7.2.0.bb b/recipes-extended/libvirt/libvirt_7.2.0.bb
> index 9cf29511..b7f8383a 100644
> --- a/recipes-extended/libvirt/libvirt_7.2.0.bb
> +++ b/recipes-extended/libvirt/libvirt_7.2.0.bb
> @@ -29,6 +29,7 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \
>             file://hook_support.py \
>             file://gnutls-helper.py \
>             file://0002-meson-Fix-compatibility-with-Meson-0.58.patch \
> +           file://0001-security-fix-SELinux-label-generation-logic.patch \

We could also just uprev libvirt, but this close to the release, I've opted
to just apply this patch.

The patch itself was missing an Upstream-status field, so I've added that
as part of the merge.

Bruce

>            "
>  
>  SRC_URI[libvirt.md5sum] = "92044b629216e44adce63224970a54a3"
> -- 
> 2.17.1
>