From e2459829487842660b40827f92b8e6e0b927e8fa Mon Sep 17 00:00:00 2001
From: Euler Robot <euler.robot@huawei.com>
Date: Wed, 21 Jul 2021 11:22:25 +0200
Subject: [PATCH 1/4] storage_driver: Unlock object on ACL fail in
 storagePoolLookupByTargetPath

'virStoragePoolObjListSearch' returns a locked and refed object, thus we
must release it on ACL permission failure.

Fixes: 7aa0e8c0cb8
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1984318
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
---
 ...nlock-object-on-ACL-fail-in-storageP.patch | 36 +++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch

diff --git a/storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch b/storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch
new file mode 100644
index 0000000..2c24f43
--- /dev/null
+++ b/storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch
@@ -0,0 +1,36 @@
+From 41b565408bb121198923e49f9bed632850a964e8 Mon Sep 17 00:00:00 2001
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Wed, 21 Jul 2021 11:22:25 +0200
+Subject: [PATCH] storage_driver: Unlock object on ACL fail in
+ storagePoolLookupByTargetPath
+
+'virStoragePoolObjListSearch' returns a locked and refed object, thus we
+must release it on ACL permission failure.
+
+Fixes: 7aa0e8c0cb8
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1984318
+Signed-off-by: Peter Krempa <pkrempa@redhat.com>
+Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
+---
+ src/storage/storage_driver.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/storage/storage_driver.c b/src/storage/storage_driver.c
+index 2db763caa5..d52d537152 100644
+--- a/src/storage/storage_driver.c
++++ b/src/storage/storage_driver.c
+@@ -1740,8 +1740,10 @@ storagePoolLookupByTargetPath(virConnectPtr conn,
+                                            storagePoolLookupByTargetPathCallback,
+                                            cleanpath))) {
+         def = virStoragePoolObjGetDef(obj);
+-        if (virStoragePoolLookupByTargetPathEnsureACL(conn, def) < 0)
++        if (virStoragePoolLookupByTargetPathEnsureACL(conn, def) < 0) {
++            virStoragePoolObjEndAPI(&obj);
+             return NULL;
++        }
+ 
+         pool = virGetStoragePool(conn, def->name, def->uuid, NULL, NULL);
+         virStoragePoolObjEndAPI(&obj);
+-- 
+2.27.0
+
-- 
Gitee


From c258123557145932d98eb4d6c016b9932331906e Mon Sep 17 00:00:00 2001
From: Euler Robot <euler.robot@huawei.com>
Date: Mon, 28 Jun 2021 13:09:04 +0100
Subject: [PATCH 2/4] security: fix SELinux label generation logic
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

A process can access a file if the set of MCS categories
for the file is equal-to *or* a subset-of, the set of
MCS categories for the process.

If there are two VMs:

  a) svirt_t:s0:c117
  b) svirt_t:s0:c117,c720

Then VM (b) is able to access files labelled for VM (a).

IOW, we must discard case where the categories are equal
because that is a subset of many other valid category pairs.

Fixes: https://gitlab.com/libvirt/libvirt/-/issues/153
CVE-2021-3631
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 ...y-fix-SELinux-label-generation-logic.patch | 54 +++++++++++++++++++
 1 file changed, 54 insertions(+)
 create mode 100644 security-fix-SELinux-label-generation-logic.patch

diff --git a/security-fix-SELinux-label-generation-logic.patch b/security-fix-SELinux-label-generation-logic.patch
new file mode 100644
index 0000000..3641f9b
--- /dev/null
+++ b/security-fix-SELinux-label-generation-logic.patch
@@ -0,0 +1,54 @@
+From 473ad43089659aec12e06b041a144cc389be83fe Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Mon, 28 Jun 2021 13:09:04 +0100
+Subject: [PATCH] security: fix SELinux label generation logic
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+A process can access a file if the set of MCS categories
+for the file is equal-to *or* a subset-of, the set of
+MCS categories for the process.
+
+If there are two VMs:
+
+  a) svirt_t:s0:c117
+  b) svirt_t:s0:c117,c720
+
+Then VM (b) is able to access files labelled for VM (a).
+
+IOW, we must discard case where the categories are equal
+because that is a subset of many other valid category pairs.
+
+Fixes: https://gitlab.com/libvirt/libvirt/-/issues/153
+CVE-2021-3631
+Reviewed-by: Peter Krempa <pkrempa@redhat.com>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+---
+ src/security/security_selinux.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
+index 72d1658e05..f1281b9cc0 100644
+--- a/src/security/security_selinux.c
++++ b/src/security/security_selinux.c
+@@ -391,7 +391,15 @@ virSecuritySELinuxMCSFind(virSecurityManagerPtr mgr,
+         VIR_DEBUG("Try cat %s:c%d,c%d", sens, c1 + catMin, c2 + catMin);
+ 
+         if (c1 == c2) {
+-            mcs = g_strdup_printf("%s:c%d", sens, catMin + c1);
++            /*
++             * A process can access a file if the set of MCS categories
++             * for the file is equal-to *or* a subset-of, the set of
++             * MCS categories for the process.
++             *
++             * IOW, we must discard case where the categories are equal
++             * because that is a subset of other category pairs.
++             */
++            continue;
+         } else {
+             if (c1 > c2) {
+                 int t = c1;
+-- 
+2.27.0
+
-- 
Gitee


From ba03d0ae714dfcff7ba7c659289d65e151dbf06b Mon Sep 17 00:00:00 2001
From: Chen Qun <kuhn.chenqun@huawei.com>
Date: Sun, 26 Sep 2021 21:28:39 +0800
Subject: [PATCH 3/4] spec: Update patch and changelog with !41 fix
 CVE-2021-3667 CVE-2021-3631  #I4BI8P  #I4BI73  !41
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

storage_driver: Unlock object on ACL fail in storagePoolLookupByTargetPath
security: fix SELinux label generation logic

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
---
 libvirt.spec | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/libvirt.spec b/libvirt.spec
index 4f8189f..4c401df 100644
--- a/libvirt.spec
+++ b/libvirt.spec
@@ -143,6 +143,8 @@ Patch0032: libvirt-conf-Set-default-values-of-retry-fileds.patch
 Patch0033: cpu_map-Add-Cooperlake-x86-CPU-model.patch
 Patch0034: cpu_map-Add-pschange-mc-no-bit-in-IA32_ARCH_CAPABILI.patch
 Patch0035: cpu_map-Distribute-x86_Cooperlake.xml.patch
+Patch0036: storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch
+Patch0037: security-fix-SELinux-label-generation-logic.patch
 
 Requires: libvirt-daemon = %{version}-%{release}
 Requires: libvirt-daemon-config-network = %{version}-%{release}
@@ -1875,6 +1877,10 @@ exit 0
 
 
 %changelog
+* Sun Sep 26 2021 Euler Robot <euler.robot@huawei.com>
+- storage_driver: Unlock object on ACL fail in storagePoolLookupByTargetPath
+- security: fix SELinux label generation logic
+
 * Tue Jul 27 2021 Jingyi Wang <wangjingyi11@huawei.com>
 - add new CPU model Cooperlake
 
-- 
Gitee


From 69982a33a256a978dd128da5f2022d8f81093812 Mon Sep 17 00:00:00 2001
From: Chen Qun <kuhn.chenqun@huawei.com>
Date: Sun, 26 Sep 2021 21:28:47 +0800
Subject: [PATCH 4/4] spec: Update release version with !41

increase release verison by one

Signed-off-by: Chen Qun <kuhn.chenqun@huawei.com>
---
 libvirt.spec | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libvirt.spec b/libvirt.spec
index 4c401df..deb25c1 100644
--- a/libvirt.spec
+++ b/libvirt.spec
@@ -99,7 +99,7 @@
 Summary: Library providing a simple virtualization API
 Name: libvirt
 Version: 6.2.0
-Release: 12
+Release: 13
 License: LGPLv2+
 URL: https://libvirt.org/
 
-- 
Gitee