From 63f996c821c9060b228b2982e9e93b9b6f79d29b Mon Sep 17 00:00:00 2001 From: Michal Sekletar Date: Mon, 26 May 2014 16:27:34 +0200 Subject: [PATCH] zebra: raise the privileges before calling socket() Because of recent changes when creating AF_NETLINK socket, kernel will cache capabilities of the caller and if file descriptor is used or otherwise handed to another process it will check that current user has necessary capabilities to use the socket. Hence we need to ensure we have necessary capabilities when creating the socket and at the time we use the socket. See: http://www.spinics.net/lists/netdev/msg280198.html Resolves: #1097684 --- ...the-privileges-before-calling-socket.patch | 52 +++++++++++++++++++ quagga.spec | 7 ++- 2 files changed, 58 insertions(+), 1 deletion(-) create mode 100644 0001-zebra-raise-the-privileges-before-calling-socket.patch diff --git a/0001-zebra-raise-the-privileges-before-calling-socket.patch b/0001-zebra-raise-the-privileges-before-calling-socket.patch new file mode 100644 index 0000000..1c4e914 --- /dev/null +++ b/0001-zebra-raise-the-privileges-before-calling-socket.patch @@ -0,0 +1,52 @@ +From 2f75e4c0a33f61e8514c09c69ce896681476df85 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Thu, 15 May 2014 16:24:03 +0200 +Subject: [PATCH] zebra: raise the privileges before calling socket() + +Because of recent changes when creating AF_NETLINK socket, kernel will +cache capabilities of the caller and if file descriptor is used or +otherwise handed to another process it will check that current user has +necessary capabilities to use the socket. Hence we need to ensure we +have necessary capabilities when creating the socket and at the time we +use the socket. + +See: http://www.spinics.net/lists/netdev/msg280198.html +--- + zebra/rt_netlink.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/zebra/rt_netlink.c b/zebra/rt_netlink.c +index ba0b0d7..9855c9e 100644 +--- a/zebra/rt_netlink.c ++++ b/zebra/rt_netlink.c +@@ -162,6 +162,13 @@ netlink_socket (struct nlsock *nl, unsigned long groups) + int namelen; + int save_errno; + ++ /* Bind the socket to the netlink structure for anything. */ ++ if (zserv_privs.change (ZPRIVS_RAISE)) ++ { ++ zlog (NULL, LOG_ERR, "Can't raise privileges"); ++ return -1; ++ } ++ + sock = socket (AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); + if (sock < 0) + { +@@ -174,13 +181,6 @@ netlink_socket (struct nlsock *nl, unsigned long groups) + snl.nl_family = AF_NETLINK; + snl.nl_groups = groups; + +- /* Bind the socket to the netlink structure for anything. */ +- if (zserv_privs.change (ZPRIVS_RAISE)) +- { +- zlog (NULL, LOG_ERR, "Can't raise privileges"); +- return -1; +- } +- + ret = bind (sock, (struct sockaddr *) &snl, sizeof snl); + save_errno = errno; + if (zserv_privs.change (ZPRIVS_LOWER)) +-- +1.8.3.1 + diff --git a/quagga.spec b/quagga.spec index b55ed4b..3d55067 100644 --- a/quagga.spec +++ b/quagga.spec @@ -7,7 +7,7 @@ Name: quagga Version: 0.99.22.4 -Release: 3%{?dist} +Release: 4%{?dist} Summary: Routing daemon License: GPLv2+ Group: System Environment/Daemons @@ -27,6 +27,7 @@ Provides: routingdaemon = %{version}-%{release} Obsoletes: quagga-sysvinit Patch0: 0001-systemd-change-the-WantedBy-target.patch +Patch1: 0001-zebra-raise-the-privileges-before-calling-socket.patch %define __perl_requires %{SOURCE1} @@ -64,6 +65,7 @@ developing OSPF-API and quagga applications. %setup -q %patch0 -p1 +%patch1 -p1 %build %configure \ @@ -225,6 +227,9 @@ fi %{_includedir}/quagga/ospfd/*.h %changelog +* Mon May 26 2014 Michal Sekletar - 0.99.22.4-4 +- raise privileges before creating netlink socket (#1097684) + * Thu Jan 29 2014 Michal Sekletar - 0.99.22.4-3 - fix source url - fix date in the changelog