ab145e
From 0f7c8a271f07b3f9aff07dd814d7bec80ddac362 Mon Sep 17 00:00:00 2001
ab145e
Message-Id: <0f7c8a271f07b3f9aff07dd814d7bec80ddac362@dist-git>
ab145e
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
ab145e
Date: Wed, 28 Jul 2021 14:59:00 +0200
ab145e
Subject: [PATCH] security: fix SELinux label generation logic
ab145e
MIME-Version: 1.0
ab145e
Content-Type: text/plain; charset=UTF-8
ab145e
Content-Transfer-Encoding: 8bit
ab145e
ab145e
A process can access a file if the set of MCS categories
ab145e
for the file is equal-to *or* a subset-of, the set of
ab145e
MCS categories for the process.
ab145e
ab145e
If there are two VMs:
ab145e
ab145e
  a) svirt_t:s0:c117
ab145e
  b) svirt_t:s0:c117,c720
ab145e
ab145e
Then VM (b) is able to access files labelled for VM (a).
ab145e
ab145e
IOW, we must discard case where the categories are equal
ab145e
because that is a subset of many other valid category pairs.
ab145e
ab145e
Fixes: https://gitlab.com/libvirt/libvirt/-/issues/153
ab145e
CVE-2021-3631
ab145e
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
ab145e
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
ab145e
(cherry picked from commit 15073504dbb624d3f6c911e85557019d3620fdb2)
ab145e
Message-Id: <38c6a7b570b8eb2114d9f1ff0c84a8346e01472f.1627476632.git.pkrempa@redhat.com>
ab145e
Reviewed-by: Ján Tomko <jtomko@redhat.com>
ab145e
---
ab145e
 src/security/security_selinux.c | 10 +++++++++-
ab145e
 1 file changed, 9 insertions(+), 1 deletion(-)
ab145e
ab145e
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
ab145e
index 985c7eda1a..93fae831ca 100644
ab145e
--- a/src/security/security_selinux.c
ab145e
+++ b/src/security/security_selinux.c
ab145e
@@ -391,7 +391,15 @@ virSecuritySELinuxMCSFind(virSecurityManagerPtr mgr,
ab145e
         VIR_DEBUG("Try cat %s:c%d,c%d", sens, c1 + catMin, c2 + catMin);
ab145e
 
ab145e
         if (c1 == c2) {
ab145e
-            mcs = g_strdup_printf("%s:c%d", sens, catMin + c1);
ab145e
+            /*
ab145e
+             * A process can access a file if the set of MCS categories
ab145e
+             * for the file is equal-to *or* a subset-of, the set of
ab145e
+             * MCS categories for the process.
ab145e
+             *
ab145e
+             * IOW, we must discard case where the categories are equal
ab145e
+             * because that is a subset of other category pairs.
ab145e
+             */
ab145e
+            continue;
ab145e
         } else {
ab145e
             if (c1 > c2) {
ab145e
                 int t = c1;
ab145e
-- 
ab145e
2.32.0
ab145e