proxmox-mirrors/mirror_frr
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_frr synced 2025-08-13 22:26:14 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

zebra: raise the privileges before calling socket()

Browse Source 
Because of recent changes when creating AF_NETLINK socket, kernel will
cache capabilities of the caller and if file descriptor is used or
otherwise handed to another process it will check that current user has
necessary capabilities to use the socket. Hence we need to ensure we
have necessary capabilities when creating the socket and at the time we
use the socket.

See: http://www.spinics.net/lists/netdev/msg280198.html

Signed-off-by: Michal Sekletar <msekleta@redhat.com>
Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
This commit is contained in:
Michal Sekletar 2014-05-16 14:13:43 +00:00 committed by David Lamparter
parent 000e157c85
commit 8e998b1eb5
1 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
zebra/rt_netlink.c
View File

@ -162,6 +162,12 @@ netlink_socket (struct nlsock *nl, unsigned long groups)
int namelen;
int save_errno;
if (zserv_privs.change (ZPRIVS_RAISE))
{
zlog (NULL, LOG_ERR, "Can't raise privileges");
return -1;
}
sock = socket (AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
if (sock < 0)
{
@ -175,12 +181,6 @@ netlink_socket (struct nlsock *nl, unsigned long groups)
snl.nl_groups = groups;
/* Bind the socket to the netlink structure for anything. */
if (zserv_privs.change (ZPRIVS_RAISE))
{
zlog (NULL, LOG_ERR, "Can't raise privileges");
return -1;
}
ret = bind (sock, (struct sockaddr *) &snl, sizeof snl);
save_errno = errno;
if (zserv_privs.change (ZPRIVS_LOWER))