[libvirt PATCH] security: fix SELinux label generation logic

Peter Krempa pkrempa at redhat.com
Wed Jun 30 11:13:51 UTC 2021 

On Wed, Jun 30, 2021 at 12:04:27 +0100, Daniel P. Berrangé wrote:
> On Wed, Jun 30, 2021 at 12:50:29PM +0200, Peter Krempa wrote:
> > On Wed, Jun 30, 2021 at 11:03:12 +0100, Daniel P. Berrangé wrote:
> > > A process can access a file if the set of MCS categories
> > > for the file is equal-to *or* a subset-of, the set of
> > > MCS categories for the process.
> > > 
> > > If there are two VMs:
> > > 
> > >   a) svirt_t:s0:c117
> > >   b) svirt_t:s0:c117,c720
> > > 
> > > Then VM (b) is able to access files labelled for VM (a).
> > > 
> > > IOW, we must discard case where the categories are equal
> > > because that is a subset of many other valid category pairs.
> > > 
> > > Fixes: https://gitlab.com/libvirt/libvirt/-/issues/153
> > > CVE-2021-xxxx - tbd before pushing
> > > Signed-off-by: Daniel P. Berrangé <berrange at redhat.com>
> > > ---
> > >  src/security/security_selinux.c | 10 +++++++++-
> > >  1 file changed, 9 insertions(+), 1 deletion(-)
> > > 
> > > diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
> > > index b50f4463cc..c98dab0d6f 100644
> > > --- a/src/security/security_selinux.c
> > > +++ b/src/security/security_selinux.c
> > > @@ -383,7 +383,15 @@ virSecuritySELinuxMCSFind(virSecurityManager *mgr,
> > >          VIR_DEBUG("Try cat %s:c%d,c%d", sens, c1 + catMin, c2 + catMin);
> > >  
> > >          if (c1 == c2) {
> > > -            mcs = g_strdup_printf("%s:c%d", sens, catMin + c1);
> > > +            /*
> > > +             * A process can access a file if the set of MCS categories
> > > +             * for the file is equal-to *or* a subset-of, the set of
> > > +             * MCS categories for the process.
> > > +             *
> > > +             * IOW, we must discard case where the categories are equal
> > > +             * because that is a subset of other category pairs.
> > > +             */
> > > +            continue
> > 
> > Missing ';'
> > 
> > >          } else {
> > >              if (c1 > c2) {
> > >                  int t = c1;
> > 
> > This algorithm seems to be susceptible to infinite loops in case when
> > 'catMin' and 'catMax' are too close or there's already enough of them
> > taken. Not a problem with this patch per-se, but it makes it more
> > likely.
> 
> Categories must be ordered, and we can't use matching categories, so
> with the range 0->1023, we have something like (1024*1024/2)-1024
> total unique pairs. aka 523264.
> 
> I'll be impressed if someone has enough VMs on a single host to use
> more than 1% of that total space.
> 
> So you're right that its tehcnically an inifinite loop but in practice
> we can ignore the problem (for now).

Okay, I had to go back and read actually how the catMin/Max values are
obtained, and it's based on the process label that libvirtd gets. So I
guess users could shoot themselves in the foot when messing with the
label of libvirtd, but by default they get 0-1023.

I guess a failsafe in this regard would be to allow e.g. max 1000
iterations and then fail.

Either way that's for a different patch.

Reviewed-by: Peter Krempa <pkrempa at redhat.com>

once you add the semicolon.

More information about the libvir-list mailing list