From 3fb6b5fe38907c3b552963899aca58f6d87f7050 Mon Sep 17 00:00:00 2001 From: Euler Robot Date: Wed, 21 Jul 2021 11:22:25 +0200 Subject: [PATCH 1/4] storage_driver: Unlock object on ACL fail in storagePoolLookupByTargetPath 'virStoragePoolObjListSearch' returns a locked and refed object, thus we must release it on ACL permission failure. Fixes: 7aa0e8c0cb8 Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1984318 Signed-off-by: Peter Krempa Reviewed-by: Michal Privoznik --- ...nlock-object-on-ACL-fail-in-storageP.patch | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch diff --git a/storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch b/storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch new file mode 100644 index 0000000..5c0fa36 --- /dev/null +++ b/storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch @@ -0,0 +1,36 @@ +From 87771fdd5930502a3970e6363785d42ed030b901 Mon Sep 17 00:00:00 2001 +From: Peter Krempa +Date: Wed, 21 Jul 2021 11:22:25 +0200 +Subject: [PATCH] storage_driver: Unlock object on ACL fail in + storagePoolLookupByTargetPath + +'virStoragePoolObjListSearch' returns a locked and refed object, thus we +must release it on ACL permission failure. + +Fixes: 7aa0e8c0cb8 +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1984318 +Signed-off-by: Peter Krempa +Reviewed-by: Michal Privoznik +--- + src/storage/storage_driver.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/storage/storage_driver.c b/src/storage/storage_driver.c +index 2db763caa5..d52d537152 100644 +--- a/src/storage/storage_driver.c ++++ b/src/storage/storage_driver.c +@@ -1740,8 +1740,10 @@ storagePoolLookupByTargetPath(virConnectPtr conn, + storagePoolLookupByTargetPathCallback, + cleanpath))) { + def = virStoragePoolObjGetDef(obj); +- if (virStoragePoolLookupByTargetPathEnsureACL(conn, def) < 0) ++ if (virStoragePoolLookupByTargetPathEnsureACL(conn, def) < 0) { ++ virStoragePoolObjEndAPI(&obj); + return NULL; ++ } + + pool = virGetStoragePool(conn, def->name, def->uuid, NULL, NULL); + virStoragePoolObjEndAPI(&obj); +-- +2.27.0 + -- Gitee From 0c1aa14a51cae48e193740448af8d7c8feab438a Mon Sep 17 00:00:00 2001 From: Euler Robot Date: Mon, 28 Jun 2021 13:09:04 +0100 Subject: [PATCH 2/4] security: fix SELinux label generation logic MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit A process can access a file if the set of MCS categories for the file is equal-to *or* a subset-of, the set of MCS categories for the process. If there are two VMs: a) svirt_t:s0:c117 b) svirt_t:s0:c117,c720 Then VM (b) is able to access files labelled for VM (a). IOW, we must discard case where the categories are equal because that is a subset of many other valid category pairs. Fixes: https://gitlab.com/libvirt/libvirt/-/issues/153 CVE-2021-3631 Reviewed-by: Peter Krempa Signed-off-by: Daniel P. Berrangé --- ...y-fix-SELinux-label-generation-logic.patch | 54 +++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 security-fix-SELinux-label-generation-logic.patch diff --git a/security-fix-SELinux-label-generation-logic.patch b/security-fix-SELinux-label-generation-logic.patch new file mode 100644 index 0000000..f8b09dc --- /dev/null +++ b/security-fix-SELinux-label-generation-logic.patch @@ -0,0 +1,54 @@ +From 7dd260dc2d8b8269488785d216972579aa234b3e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Mon, 28 Jun 2021 13:09:04 +0100 +Subject: [PATCH] security: fix SELinux label generation logic +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +A process can access a file if the set of MCS categories +for the file is equal-to *or* a subset-of, the set of +MCS categories for the process. + +If there are two VMs: + + a) svirt_t:s0:c117 + b) svirt_t:s0:c117,c720 + +Then VM (b) is able to access files labelled for VM (a). + +IOW, we must discard case where the categories are equal +because that is a subset of many other valid category pairs. + +Fixes: https://gitlab.com/libvirt/libvirt/-/issues/153 +CVE-2021-3631 +Reviewed-by: Peter Krempa +Signed-off-by: Daniel P. Berrangé +--- + src/security/security_selinux.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c +index 72d1658e05..f1281b9cc0 100644 +--- a/src/security/security_selinux.c ++++ b/src/security/security_selinux.c +@@ -391,7 +391,15 @@ virSecuritySELinuxMCSFind(virSecurityManagerPtr mgr, + VIR_DEBUG("Try cat %s:c%d,c%d", sens, c1 + catMin, c2 + catMin); + + if (c1 == c2) { +- mcs = g_strdup_printf("%s:c%d", sens, catMin + c1); ++ /* ++ * A process can access a file if the set of MCS categories ++ * for the file is equal-to *or* a subset-of, the set of ++ * MCS categories for the process. ++ * ++ * IOW, we must discard case where the categories are equal ++ * because that is a subset of other category pairs. ++ */ ++ continue; + } else { + if (c1 > c2) { + int t = c1; +-- +2.27.0 + -- Gitee From 8b211832e9bc7f51a4873988b728b75df4b59c16 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Sun, 26 Sep 2021 21:28:37 +0800 Subject: [PATCH 3/4] spec: Update patch and changelog with !39 fix CVE-2021-3667 CVE-2021-3631 #I4BI8P #I4BI73 !39 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit storage_driver: Unlock object on ACL fail in storagePoolLookupByTargetPath security: fix SELinux label generation logic Signed-off-by: Daniel P. Berrangé Signed-off-by: Peter Krempa --- libvirt.spec | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libvirt.spec b/libvirt.spec index 094d258..81257a8 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -144,6 +144,8 @@ Patch0033: cpu_map-Add-Cooperlake-x86-CPU-model.patch Patch0034: cpu_map-Add-pschange-mc-no-bit-in-IA32_ARCH_CAPABILI.patch Patch0035: cpu_map-Distribute-x86_Cooperlake.xml.patch Patch0036: conf-domain_conf-pin-the-retry_interval-and-retry_ti.patch +Patch0037: storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch +Patch0038: security-fix-SELinux-label-generation-logic.patch Requires: libvirt-daemon = %{version}-%{release} Requires: libvirt-daemon-config-network = %{version}-%{release} @@ -1876,6 +1878,10 @@ exit 0 %changelog +* Sun Sep 26 2021 Euler Robot +- storage_driver: Unlock object on ACL fail in storagePoolLookupByTargetPath +- security: fix SELinux label generation logic + * Fri Sep 24 2021 Euler Robot - conf/domain_conf: pin the retry_interval and retry_timeout parameters to xml -- Gitee From 043e0d9dce518f9abf239b3319923b5ad4b8ffda Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Sun, 26 Sep 2021 21:28:42 +0800 Subject: [PATCH 4/4] spec: Update release version with !39 increase release verison by one Signed-off-by: Chen Qun --- libvirt.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libvirt.spec b/libvirt.spec index 81257a8..8be86ff 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -99,7 +99,7 @@ Summary: Library providing a simple virtualization API Name: libvirt Version: 6.2.0 -Release: 13 +Release: 14 License: LGPLv2+ URL: https://libvirt.org/ -- Gitee