security: fix SELinux label generation logic

A process can access a file if the set of MCS categories for the file is equal-to *or* a subset-of, the set of MCS categories for the process. If there are two VMs: a) svirt_t:s0:c117 b) svirt_t:s0:c117,c720 Then VM (b) is able to access files labelled for VM (a). IOW, we must discard case where the categories are equal because that is a subset of many other valid category pairs. Fixes: https://gitlab.com/libvirt/libvirt/-/issues/153 CVE-2021-3631 Reviewed-by: Peter Krempa <pkrempa@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2021-06-28 13:09:04 +01:00 · 2021-06-28 13:09:04 +01:00 · 15073504db
parent f63397de61
commit 15073504db
1 changed files with 9 additions and 1 deletions
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@ -383,7 +383,15 @@ virSecuritySELinuxMCSFind(virSecurityManager *mgr,
        VIR_DEBUG("Try cat %s:c%d,c%d", sens, c1 + catMin, c2 + catMin);

        if (c1 == c2) {
-            mcs = g_strdup_printf("%s:c%d", sens, catMin + c1);
+            /*
+             * A process can access a file if the set of MCS categories
+             * for the file is equal-to *or* a subset-of, the set of
+             * MCS categories for the process.
+             *
+             * IOW, we must discard case where the categories are equal
+             * because that is a subset of other category pairs.
+             */
+            continue;
        } else {
            if (c1 > c2) {
                int t = c1;