diff options
Diffstat (limited to 'recipes-extended/libvirt/libvirt/0001-security-fix-SELinux-label-generation-logic.patch')
| -rw-r--r-- | recipes-extended/libvirt/libvirt/0001-security-fix-SELinux-label-generation-logic.patch | 56 |
1 files changed, 0 insertions, 56 deletions
diff --git a/recipes-extended/libvirt/libvirt/0001-security-fix-SELinux-label-generation-logic.patch b/recipes-extended/libvirt/libvirt/0001-security-fix-SELinux-label-generation-logic.patch deleted file mode 100644 index 2753503d..00000000 --- a/recipes-extended/libvirt/libvirt/0001-security-fix-SELinux-label-generation-logic.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 15073504dbb624d3f6c911e85557019d3620fdb2 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com> -Date: Mon, 28 Jun 2021 13:09:04 +0100 -Subject: [PATCH] security: fix SELinux label generation logic -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -A process can access a file if the set of MCS categories -for the file is equal-to *or* a subset-of, the set of -MCS categories for the process. - -If there are two VMs: - - a) svirt_t:s0:c117 - b) svirt_t:s0:c117,c720 - -Then VM (b) is able to access files labelled for VM (a). - -IOW, we must discard case where the categories are equal -because that is a subset of many other valid category pairs. - -Upstream-status: Backport - -Fixes: https://gitlab.com/libvirt/libvirt/-/issues/153 -CVE-2021-3631 -Reviewed-by: Peter Krempa <pkrempa@redhat.com> -Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> ---- - src/security/security_selinux.c | 10 +++++++++- - 1 file changed, 9 insertions(+), 1 deletion(-) - -diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c -index b50f4463cc..0c2cf1d1c7 100644 ---- a/src/security/security_selinux.c -+++ b/src/security/security_selinux.c -@@ -383,7 +383,15 @@ virSecuritySELinuxMCSFind(virSecurityManager *mgr, - VIR_DEBUG("Try cat %s:c%d,c%d", sens, c1 + catMin, c2 + catMin); - - if (c1 == c2) { -- mcs = g_strdup_printf("%s:c%d", sens, catMin + c1); -+ /* -+ * A process can access a file if the set of MCS categories -+ * for the file is equal-to *or* a subset-of, the set of -+ * MCS categories for the process. -+ * -+ * IOW, we must discard case where the categories are equal -+ * because that is a subset of other category pairs. -+ */ -+ continue; - } else { - if (c1 > c2) { - int t = c1; --- -2.17.1 - |